The Journal of AUUG Inc. Volume 24 ¯ Number 2 June 2003
Features:
Microsoftens 10 OpenBSD 3.3 Released 11 Linux System’ Administrator’s Security Guide (Part 1) 15 The Roadman for FreBSD 5-stable 20 Mail and Dynamic IP 24 Intrusion Detection System (Part 1) 25 FreeBSD 5.1 Release Process 40 SCO-vs.-IBM: the Open Source Initiative Position Paper on the Complaint 41 AUUG 2003 Systems Administration Symposium Photo Gallery 57 NetBSD 1.6.1 CD 58
News:
Public Notices 4 AUUG: Corporate Members 9 AUUG Conference 2003 Invitation 59 AUUG Membership Renewal 61 AUUG: Chapter Meetings and Contact Details 63
Regulars:
President’s Column 3 My Home Network 4
ISSN 1035-7521 Print post approved by Australia Post - PP2391500002
AUUG Membership and General Correspondence The AUUG Secretary PO Box 7071 Edi oria Baulkham Hills BC NSW 2153 Con Zymaris auu.qn@auu,q.or,q.au Telephone: 02 8824 9511 or 1800 625 655 (Toll-Free) I imagine I’m not alone in expressing fond memories Facsimile: 02 8824 9522 Email: [email protected] of both Carl Sagan and Stephen Jay Gould. Both of these gentleman were not only practicing scientists AUUG Management Committee but also exemplary communicators of science and of Email: [email protected] the technical, complex and beautiful cosmos that we inhabit. President Greg Lehey PO Box 460 Through his combination of vision and chutzpah, Echunga, SA, 5153 Sagan caused us to pause for a moment and consider Bus. Tel (08) 8388 8286, Mobile 0418 838 708, Fax (08) 8388 8725 the majesty of star-stuff, of galaxies and of the human
Adrian Close It seems to me that many non-computer-scientists Ph: +61 7 5596 2277 Fax: +61 7 5596 6099 are rushing to define how we technologists should go Mobile: +61 417 346 094 st
Mark White Why are groups like AUUG’s members well placed to apviva technology partners help bring about an increased enlightenment amongst P. O. Box 1870, Toowong QLD 4066 the IT laity?. To be franl;, it all boris down to having Bus Tel 07 3876 8779, Mobile 04 3890 0880 the kind of mind that just gets ’it’. Further, this
AUUGN Vol.24, No.2 - 1 - June 2003 AUUGN Editorial Committee
C niribuiio The AUUGN Editorial Committee can be reached by sending emil to: auu,~n@auu~.or~.au
Deadlines for AUUGN Or to the following address: in 2093 AUUGN Editor Editor: Con Zymaris Volume 24 ~ Number 3 - September 2003: August PO Box 7071 Baulkham Hills BC NSW 2153 30t~,, 2003 Sub-Editors: Volume 24 o Number 4 - December 2003: November Frank Crawford, Mark White th, 15 2003 Contributors: This issue would not have happened without the transcription and editorial efforts of Gary R. Schmidt" <,[email protected]>, Rik Harris
AUUGN Submission Guidelines
Submission guidelines for AUUGN contributions can be obtained from the AUUG World Wide Web site at: ¯ www.auug.org.au
Alternately, send email to the above correspondence address, requesting a copy.
AUUGN Back Issues
A variety of back issues of AUUGN are still available. For price and availability please contact the AUUG Secretariat, or write to: AUUG Inc. Back Issues Department PO Box 7071 Baulkham Hills BC NSW 2153 Telephone: 02 8824 9511
Conference Proceedings A limited number of copies of the Conference Proceedings from previous AUUG Conferences are still available. Contact the AUUG Secretariat for details. Mailing Lists
Enquiries regarding the purchase of the AUUGN mailing list should be directed to the AUUG Secretariat.
Disclaimer
Opinions expressed by the authors and reviewers are not necessarily those of AUUG Inc., its Journal, or its editorial committee.
Copyright Information
Copyright © 2003 AUUG Inc.
All rights reserved. Portions © by their respective authors, and released under specified licences.
AUUGN is the journal of AUUG Inc., an organisation with the aim of promoting knowledge and understanding of Open Systems, including, but not restricted to, the UNIX@ operating system, user interfaces, graphics, networking, programming and development environments and related standards.
Copyright without fee is permitted, provided that copies are made without modification, and are not made or distributed for commercial advantage.
AUUGN Vol.24 ¢ No.2 - 2 - June 2003 site at President’s C lumn http: //www. auug, org. au/publications/press / SCO- stance.html. The following day revealed the most Greg Lehey
There are so many reasons to find the lawsuit completely ludicrous. I’ve summarized some of them at http://www.lemis.com/grog/sco.html, and I’m still doing so. At the end of May, AUUG made its standpoint clear with a press release, now on our web
AUUGN Vol.24 o No.2 3 - June 2003 Public No ces :My Home Network Upcoming Conferences & Events (J ne 2003) By: Frank Crawford
AUUGN Vol.24 o No.2 - 4 - June 2003 the middle of some crucial Windows files, at that, that it would take most of the 40GB disk. On the other hand, Linux spreads across multiple partitions Well, now I decide to really start looking at what is and disks happily, so it can use some of the 40GB going on, and my first step is to reboot into Linux, disk and the 20GB disk. which is also on this system. So, being from the old school, and doing the simplest things first, I just ran To copy the Windows XP partition, all I could really a "dd’ across the disk, and sure enough, the Linux use was Norton Ghost, and while it had problems kernel spits out disk error messages in the Windows earlier with the bad blocks, there are options to partition. Now, why didn’t Windows do this??? continue past them. So firstly, copy the partition to a Anyway, back to reports. Disks for some time have new disk. Next, copy the Linux partitions to the new had some form of self test capability, called SMAt~, disks, swap disks and boot. Now, while Ghost can and one of the recent items in the kernel-utils copy Linux ext2/ext3 partitions, it does seem to have package is "smartd’ and "smartctl’, to monitor and some issues. I much prefer to use dump/restore to report on the disk. So, kicking that off (and it did create a new partition. In fact, I’ve done this so often have some issues) it agreed that there were problems that I’ve written a little script to do the copy. with the disk.
Now, I haven’t ever had any disk problems with my home network, although at work I had problems some time back. To correct this I just mapped out the bad blocks and continued on. Worst case would have been to do a low-level format of the disk. Now, all this was for SCSI disks, but I wouldn’t expect that much difference for IDE. I couldn’t have been more wrong. Firstly, for retail IDE disks, there is no capability for bad-block mapping, no low-level format utilities, no support of any type for handling media errors. The only option is to return the disk under warranty. Even this is a bit of an issue, as recently Seagate has changed the warranty period from 3 years to 1 year for new disks.
As the disk was nearly 9 months old, I had to return it directly to Seagate, after obtaining an RMA number. To do this I had to download the SeaTools Disk Diagnostics from Seagate’s site (http://download.sea~ate.com/seatools/), run it and # :Now update generate a diagnostic report. There are a number of different versions of this, including Windows, Linux grubLpre_~_~ i~ afiX=$grubdir ., and stand-alone (i.e. DOS) versions. I chose the stand-alone version, so I could check all my Seagate disks (an advantage of standardising). The procedure $grub sh~’i~ =~batc~ was basically, download, run the self-extracting device (hdO) executable to create a bootable floppy, boot floppy tO:St." (~dO~;:O~) A~dP .$ fSgCe_lba and run the test. While there are a number of test p:~:f:iX~$ grub_pr e fix levels, in this case the simplest, which is reading the quik: SMART results from the disk, verified the fault and EOF .... generated a failure report to go with the RMA. To exit 0 obtain an RMA, I connected to http: //www.sea~ate. corn/supp ort/service and Now this script does some things the way I want, in selected "Drive Return Procedure" item 3 (RMA). particular setting the forced check of the disk to once Once this was done, I was in a position to return the every 20+ mounts or 6 months. More importantly, disk, but I was told that it could take up to six weeks "grub’, the boot loader of choice for Red Hat 8.0, is a for a replacement disk to be returned (Seagate return royal pain to install on anything other than the an equivalent disk, and then repair the faulty disk current boot disk. The parts of the scripts that relate which returns to their spares). In the end, it only to "grub’ come from some hunting on the grub took three weeks, and I could track it via Seagate’s maintainers mailing list (see Google to find it) and I’m Website. not 100% sure that it works fully. If you want to get into more fun with "grub’, try it with mirrored system Now, given that I would lose all the data on the disk I disks. You need something like this repeated determined to copy everything I could. I borrowed a multiple times, and the standard script, "grub-install’, 40GB disk and had an old 20GB disk around, so I set doesn’t know what to do with "rod" devices. I should about trying to squeeze things onto the 60GB of add that I did modify this script a little for my copy, space. Given that I prefer to only have a single as I was going from hda to partitions on both hdb and Windows partition (now running NTFS) it was obvious
AUUGN Vol.24 ~ No.2 - 5 - June 2003 hdd, but I will leave that as an exercise for the reader. remote restores and other tasks. The package can be obtained from http: //mkcdrec.ota.be/, and is Anyway, after all this, Linux was copied and running currently up to version 0.7.1 (released March 2003), on the new disks, Windows was copied, but still although I only have 0.6.7 at present. The mkCDrec broken on the new disks and I was ready to ship off project does not try to do everything itself, but rather the faulty disk. makes use of other tools to do the real work.
Now back to Windows XP not working. It was obvious Now in addition to the basic system there is a that something was wrong with the system, and with additional package of useful utilities that can be everything built into the system registry it is not an downloaded to supplement the package. This easy thing to fix. Just as much of a problem was that includes partition editors (’parted’), salvage tools the fflesystem for my Windows XP system is now (’recover’, "e2salvage’, etc), memory testers and, most NTFS, which is not writable by anything except important for me, an offline NT password editor, Windows. (Well there is experimental write support in "chntpw’. In fact "chntpw’ allows far more than just Linux, but it looks very, very dangerous.) I did this changing passwords, it can be used to make offline both because I believe that NTFS is a far superior file changes to Windows Registry files. Obviously, since system to FAT; and because FAT32 filesystems isn’t Microsoft don’t supply any documentation about the supported for a size greater than 32GB (even though registry structure, most of the details have been it can be done). found through trial and error, and as such, it should be used at your own risk. The home for this utility There were a couple of steps I took to try and rectify seems to be the problem. Firstly I installed the Windows XP http://home.eunet.no/~pnordahl/ntpasswd/ Recovery Console on the disk, which allowed me to and also seems to have a bootable disk for accessing access the system to both read and write files. I NTFS filesystems. ended up finding where Windows stored the Registry Files (in "%SystemRoot%/System32/Config"), and However, in my case this wasn’t necessary, as I where it stored backup copies copied the registry files and worked on them on the ("%SystemRoot%/Repair"). However, I also discovered Linux system, rather than trying anything directly on that there were few tools to edit it, and that the saved the Windows partition. Unfortunately, while I could versions were overwritten by the Recovery Install I’d look at everything, I could find nothing that seemed to done right back at the start. be wrong.
One feature of the Recovery Console (not to be Ultimately, after a few weeks of poking and prodding confused with the Recovery Install) is that it can list, and trying different things, none of which worked, I enable and disable system devices and services, so decided to give up and reinstall from a very old image you can try and recover from problems with bad I had, from well before the upgrade to Windows XP. I devices, etc. So, with a bit of paper and a lot of time, then followed this by an upgrade to Windows XP and I stopped most items that looked like they could be all the relevant software (or at least those I could problems. After a little of this I decided to see if there remember :-)). really was a problem with the hardware, and installed a second copy of Windows XP on the same disk but in At this point you would think I would be out of the a different directory. This worked fine, and everything woods, but no. My replacement disk had arrived was okay in this implem.~entation, except that most of back and I went to install it (after checking that it was the programs I wanted to use, were not available. To good ;-)). Again Linux copied fine, and again Windows go any further with this installation I would have to XP was another matter. reinstall everything! Now, this time I was sure something strange was This new installation did give me one additional going on, since everything was running on the other capability, it made it much easier to copy files in and disk, and yet things just seemed to hang up with the out of the disk. It also gave me a working registry to new disk. After playing around a little bit more, I compare the old system with. The only thing was, I stumbled on the issue, at least for this copy. For didn’t have any tools to examine the broken registry some reason, even though I followed all the with, or so I thought! restrictions in copying, Windows had decided that the new disk was drive D: and a number of the drivers Tools to do offline editing of the Windows Registry not surprisingly referred to drive C:. After a week of appear to be very rare, and most things I found that searching and reading, on the Symantec site I tracked mentioned it cost money and yet didn’t seem to do down an option to clear the drive signature that what I wanted. However, as it turned out, there was Windows XP (and 2000) puts on each disk, when it one utility I already had that would do just what I copies the partition. By doing this, it forces Windows wanted, and yet it took me two weeks to find it. to "reinstall" the disk, and correctly identify it as a new C: drive. Of course the obvious question after Recently I downloaded an emergency package for this second problem is, "was this the same problem Linux call "mkCDrec’, which allows you to create an that caused me to reinstall?". Unfortunately, I can’t emergency recovery CD for your Linux system. It answer that, as I no longer had a copy of the original includes the ability to back up the system, perform system. The problems were a little different, but that
AUUGN V01.24, No.2 - 6 - June 2003 may just have been different manifestations of the same problem. So, what do others do for their home network? What other disasters have you had and had to recover from. So, after a month or more of installation, Let me know, or better still, write it up and let reinstallation, changing and exploring, what did I everyone know. learn. Firstly, Unix/Linux systems are much simpler to debug and diagnose problems. Under Windows, most critical information is either in binary files, with no easy tools to process in an emergency, or very basic debug output is written to files in whatever fashion the original programming team deemed fit. For Unix most initial data is in ASCII fries and in standard locations. Even more, because it is so common, it is a fairly standardised format. I have :5 servers as follows these are a!l new Secondly, even at the most basic level, most tools are available for use, and work as they do when the system is fully configured. As well, the lack of HP900.0 series ~. A400:-rack:!~:!~t ~:~X se~ers reliance on a GUI makes much more information with i~ual RiSC .~/oceS~ available and written to the console during boot and and running. In fact the continuing messages written to the console is something that Windows can’t compete AS00 gervers are.::comp~!!},!~U:/faek with, during debugging. I should note that Windows XP has the capability of writing debugging information to one of the serial ports, but this requires far more support for it. ~te~e{ a~pli~atibnS~, ~r6~lig;~ ~ ; ~nd The next thing I should have learnt, but haven’t is the value of backups. In fact, as a professional System " Administrator, I know the value of backups, and Way ~ :pr;:~egs~r : ~onfigh~a~;~g~ 6pfiOn~l generally ensure that I can restore just about second :.::cPU;. ~:/.~ Available .Base;:: everything, but for my home systems, I have some memo~ up~ad~a~ie: ~6 2GB:(A4OO)::.2.imemal major financial constraints. As I said at the start, this is the first disk failure I have suffered, and at the same time, I have a lot of storage available through (mai?:~:, -72 ~ GIGA :B:~E)i~,~:~.,.extemal : out the network. Disk sizes are growing rapidly, but ;apa~i~y Ul~r~sesi, Ultla2: :~S~SI;:-:: 100Base;T backup media is not. At home I have a QIC tape drive capable of backing up around 250-425MB ...... :... (uncompressed) per tape and a CD writer that again co~edfi6~S;~, tOgaS:e~T.; Suppo~ ~LAN; can take about 700MB. At the same time I have over baSed ~le Supp6~d 0~e g gygt~s H,, 250GB of disk storage available to me.
Assuming that I am only using 50% of the disk space I would need over 150 CDs to back it all up. Even moving past the number of CDs, an issue comes up Price¯ $3,300:00, ’ ...... Rec Retail $6500~00 with the software. While I can use dump/restore or some other related product for Linux, I have to find something that will work for Windows. Not an easy ask. And then after that we would get to the Macintosh-’s I still have around the place. Phone~02,9713:7999 Fax 02~97.05:2255. To be honest, I will probably look at a DVD writer, which would reduce the disks needed, but still only by a factor of 4 or 5, and still at a cost of around MY PHONE PTY LTD $100-$200 for media (not counting the cost of the writer). In fact I might consider a major shift in my ACN:.063.150.041 backup strategy and purchase a large slow disk, e.g. 15 >140GB and use it for full backups and then possibly doing incrementals to CDs or DVDs. RUSSELL LEA NSW 2046
Finally, I really do need to investigate more tools to handle such disaster situations. I certainly intend to look further into mkCDrec, as it looks very useful, and would fit the strategy I have, but I’m also interested in others.
AUUGN Vol.24 - No.2 7 - June 2003 by students or demonstrate their use in a school’s (or educational institution’s) administrative area.
Paper presentations should aim for 30 minutes with THE OPEN SOURCE EDUCATION CONFERENCE 10 minutes question time. Other formats, such as a Introducing the Conference workshop or led discussion, may be available. To submit a paper, e-mail: o David Lloyd
AUUGN Vol.24 ~ No.2 - 8 - June 2003 ~/~INI-CONFS AUUG Corporate
Expanding the main conference are our "pre- Members conferences", known as a collection of "mini-confs". as at 1st June 2003 These are informal sessions where conference attendees can meet prior to the main conference to ac3 talk on topics of common interests. Currently there ANSTO are 5 planned mini-confs: Debian, Linux Audio, ANU EducationaLinux, IPv6 and Python. Please see Apple Computer Australia Pry Ltd http://lca2004.1inux.org.au/miniconf.cgi for further Aust Centre for Remote Sensing details. Australian Bureau of Statistics Australian Taxation Office ~:~ARTNERS~ ]PROGRAMME Bradken British Aerospace Australia In an attempt to make attendance at all of Bureau of Meteorology Linux. Conf.Au’s events easier for conference Cape Grim B.A.P.S. delegates, we have introduced a Partners’ Programme Computing Services, Dept Premier & Cabinet to provide activities for partners and their families. Corinthian Industries (Holdings) Pty Ltd Currently we are conducting a survey for potential Cray Australia partner programme attendees to fill in to help the CSIRO Manufacturing Science and Technology conference in its organisation of this event. If you CSIRO Telecommunications & Industrial Physics believe your partner may make use of such a facility, Curtin University of Technology could you please have your partner fill in our survey Cybersource Pty Ltd at http://lca2004.1inux.org.au/partners.cgi Deakin University Department of Land & Water Conservation 1V~ ORE INFORMATION Energex Everything Linux & Linux Help The latest news about Linux.Conf.Au 2004 can be Fulcrum Consulting Group found at our website: http: //lca2004.1inux. org. au IBM Land and Property Information, NSW In addition, a low-volume, no-spam email list has LPINSW been made available so conference related Macquarie University announcements can be communicated. Please Multibase WebAustralis Pty Ltd subscribe to this service at National Australia Bank http: //lists. linux, org. au/listinfo /lca- announce NSW Public Works & Services, Information Services [11 These speakers in good faith have indicated that Peter Harding & Associates Pty Ltd they will speak at the conference. Some changes in Rinbina Pty Ltd the line-up of speakers may occur closer to the event St. Vincent’s Private Hospital due to unforseen circumstances. Sun Microsystems Australia Tellurian Pty Ltd The University of Western Australia Thiess Pty Ltd Uni of NSW - Computer Science & Engineering UNITAB Limited University of New England University of New South Wales University of Sydney University of Technology, Sydney Workcover Queensland
AUUGN Vol.24 ~ No.2 - 9 - June 2003 to connect their own CAPI to Windows, supposedly in Micr s f ens order to eliminate any risk that US intelligence Author: Eben Moglen services have embedded spy code in the company’s products. [Note: Eben Moglen is professor of law at Columbia University Law School. He serves without fee as General Counsel of the Free Unprecedented as the program to show source to Software Foundation. You can read more of his writing at foreign governments and permit limited modification http://moglen.law.columbia.edui] was, Microsoft took an even more extraordinary step in its recent filings with the US Securities and There’s plenty of uneasiness in Redmond, Exchange Commission. The SEC requires publicly- Washington, these days. Microsoft has begun to traded companies to file quarterly statements internalize the recognition that the next, and quite indicating any major changes in position since the probably final, period of its existence will be publication of their annual reports, and disclosing dominated by competition with free software. That any new or additional risks to their profitability. competition presents challenges the monopoly has Microsoft now states that "the popularization of the never faced before, and already it has become Open Source movement continues to pose a necessary, at what Microsoft hopes is still an early significant challenge to the Company’s business stage in the confrontation, to take steps that no other model, including recent efforts by proponents of the competitor has ever had the power to force. Open Source model to convince governments worldwide to mandate the use of Open Source Competing with free software is problematic for software in their purchase and deployment of Microsoft for many reasons. There’s no company to software products. To the extent the Open Source acquire, in the first place, in order to incorporate or model gains increasing market acceptance, sales of suppress attractive competing products - a strategy the Company’s products may decline, the Company that the monopoly has pursued so often and so may have to reduce the prices it charges for its successfully in the past. Because free software is products, and revenues and operating margins may continually modified and improved by all its users, consequently decline." there’s no ’evolutionary dead end’ argument with which to scare customers: someone choosing to use Naturally Microsoft has always found it desirable to free software is never going to be left with an emphasize in its SEC filings that it faces market unserviceable product whose maker has gone out of competition: its antitrust difficulties render it eager to business, leaving the code ’orphaned’ in the face of discuss the highly competitive nature of the software constantly shifting technology. Microsoft’s implicit market at every opportunity. But this decision to message to its customers has been ’We’re always acknowledge free software as a fundamental challenge going to exist; our competitors, whose products you to the Microsoft ’business model,’ along with the quite are considering, won’t last forever.’ But technically specific acknowledgement that prices of its products sophisticated corporate and governmental users now will have to be cut, represents a watershed moment in realize that the free software codebase will last the monopoly’s history. The global investment indefinitely, capable of renewal and replacement for community now has the best possible authority for as long as its users need it. No matter how long taking a second look at its unquestioned belief in Microsoft lasts, free software will last longer. Microsoft’s durability: the official statements of the company itself. As I have said in this space recently, one of the hottest fields of competition at the moment is also the These new statements, of course, like all other largest aggregate software market on earth: the Microsoft pronouncements on our movement, eschew world’s governments. More than sixty-five countries two words: ’free software.’ The company still cannot and dozens or hundreds of political subdivisions are acknowledge the fundamental challenge to its way of actively considering legislation or regulations favoring doing business, which is users’ need for freedom: the the use of free software for government computing. freedom to understand, fix, improve, and share the National governments have begun actively considering software that they depend on. Microsoft likes to refer use of free software for all the reasons (price, to ’open source,’ which sounds like something flexibility, power of modification - in other words, Microsoft could do itself. Its so-called ’shared source’ freedom) that other corporate and individual users initiatives, including the most recent one for foreign also identify. But they have at least one additional governments, are designed to mislead in precisely this reason for adopting free software: they suspect that way. But what Microsoft cannot do, what it will die Microsoft has done favors for the US intelligence trying to prevent us from doing, is to make software community, embedding ’back doors’ in Windows that free. ’Freedom’ is the word the monopolist cannot use, permit US listeners to monitor encrypted which is why, at the beginning of the end of the communications generated using the Windows Microsoft Era, Free Software Matters. Cryptographic Applications Program Interface (CAPI). Last month, in an unprecedented move, Microsoft © Eben Moglen, 2003. announced that it will release Windows source code Verbatim copying of this article is permitted in any for review by foreign governments, to help them medium, provided this notice is prese~red. evaluate whether Windows is a good public purchase. In addition, Microsoft will allow foreign governments
AUUGN Vol.24 o No.2 - 10 - June 2003 Oper BSD 3.3 Released then quickly revoke privilege. The X window server and xconsole now use Author: Todd C. ~iller < Todd. Mifler@co~rtesam co~ > privilege separation, for better security. Also, OpenBSD 3.3 has been released and is now available xterm has been modified to do privilege revocation. from select ftp mirrors. We believe this is our best xdm runs as a special user and group, to further release ever with cool new features including constrain what might go wrong. ProPolice stack protection in the compiler RSA blinding is now on by default in OpenSSL. (http ://www. trl. ibm. com/proj ects/security/ssp/), Many occurrences of strcpy0, strcat0 and sprintf0 queue support for pf (traffic shaping), an hppa (pa- have been changed to strlcpy0, strlcat0, and risc) port, W^X for some platforms (sparc, sparc64, snprintf0 or asprintf0. alpha and hppa), privilege separation in the X server and xconsole, fewer setuid binaries, a new spam A process will now have the P_SUGIDEXEC flag set deferral daemon and much, much more. f any of the real, effective, or saved uid/gid are mismatched. Previously only the real and effective Full release announcement follows: uid/gid were checked.
OPENBS]) 3.3 RELEASED ptrace(2) is now disabled for processes with the P_SUGIDEXEC flag set.
May 1, 2003. Improved hardware support (http : //www. 0penBSD. org/plat, html) We are pleased to announce the official release of OpenBSD 3.3. This is our 13th release on CD-ROM ¯ The xl(4), sis(4) and vr(4) ethernet drivers are more (and 14th via FTP). We remain proud of OpenBSD’s robust. record of seven years with only a single remote hole in the default install. As in our previous releases, 3.3 The ahc(4) and bktr(4) drivers now work on provides significant improvements, including new macppc. features, in nearly all areas of the system: o Vlan tagging now works properly in the ti(4) driver. Ever-improving security http : //www. OpenBSD. org/security, html The cac(4) driver is now more stable. Integration of the ProPolice stack protection technology, by Hiroaki Etoh, into the system Media handling has been improved in the hme(4) compiler. This protection is enabled by default. driver. With this change, function prologues are modified to rearrange the stack: a random canary is placed Bugs have been fixed in the gem(4) driver to make before the return address, and buffer variables are it more stable on the sparc64 platform. moved closer to the canary so that regular variables are below, and harder to smash. The Several fixes for the ami(4) driver. function epilogue then checks ff the canary is still intact. If it is not, the process is terminated. This New LZS compression support for the hfn(4) change makes it very hard for an attacker to driver. modify the return address used when returning from a function. Support for new IDE controllers from Promise, VIA, NVIDIA and ServerWorks. W^X (pronounced: "W xor X") on architectures capable of pure execute-bit support in the MMU o siop(4) driver improvements. (sparc, sparc64, alpha, hppa). This is a fine- graine~l memory permissions layout, ensuring that The sparc64 platform is now supported on several memory which can be written to by application more models and is much more stable. programs can not be executable at the same time and vice versa. This raises the bar on potential Major improvements in the pf packet filter, including: buffer overflows and other attacks: as a result, an attacker is unable to write code anywhere in pf now supports altq-style queueing via the new memory where it can be executed. (NOTE: i386 "queue" directive. Packets are assigned to queues and powerpc do not support W^X in 3.3; however, based on filter rules. This allows for very flexible 3.3-current already supports it on i386, and both queue settings, including quality of service these processors are expected to support this bandwidth shaping. change in 3.4.) New support for "anchors," which allows the use of Further reduction of the number of setuid and sub-rulesets which can be loaded and modified setgid binaries and more use of chroot(2) independently. throughout the system. While some programs are still setuid or setgid, most allocate a resource and A new "table" facility provides a mechanism for
AUUGN Vol.24 ~ No.2 - 11 - June 2003 increasing the performance and flexibility of rules o Sendmail 8.12.9. with large numbers of source or destination addresses. Apache 1.3.27 and mod_ssl 2.8.12, DSO support (+ patches). Address pools, redirect/NAT to multiple addresses and thus load balancing. OpenSSL 0.9.7beta3 (+ patches).
The scrub option ’no-dr has been changed to o Stable version of KAME IPv6. better handle fragments with DF set, such as those sent by Linux NFS. OpenSSH 3.6 (now 100% compliant with the secsh drafts). There is a new ’random-id’ option for the scrub rules. This randomizes outbound IP IDs and helps Bind 9.2.2 (+ patches). defeat NAT detection. o Perl 5.8.0 TCP state inspection is now RFC 763 compliant; we now send a reset when presented with SYN- o Sudo 1.6.7. cookie schemes that send out-of-window ACKs during the TCP handshake. Latest ISC cron (+ patches and atrun integration).
o TCP window scaling support. Improved vlan(4) robustness.
Full support for CIDR addresses. FreeBSD emulation now recognizes newer FreeBSD ELF binaries. Early checksum verification return on invalid Significant improvements to the pthread library. packets. Many, many man page improvements. The configuration language has been made much more flexible. If you’d like to see a list of what has changed between OpenBSD 3.2 and 3.3, look at o Large rulesets now load much more quickly. http://www. OpenBSD.org/plus33.html New subsystems included with 3.3 Even though the list is a summary of the most spamd, a spam deferral daemon, can be used to important changes made to OpenBSD, it still is a very tie up resources on a spammer’s machine, spamd very long list. uses the new pf(4) table facility to redirect connections from a blacklist such as SPEWS or SECURITY AND ERRATA DIPS. We provide patches for known security threats and OpenBSD 3.3 includes the hppa port for HP PA- other important issues discovered after each CD RISC machines. This should be considered a work release. As usual, between the creation of the in progress; users are advised to install the most OpenBSD 3.3 FTP/CD-ROM binaries and the actual recent snapshot instead of the formal 3.3 hppa 3.3 release date, our team found and fixed some new release. reliability problems (note: most are minor, and in Many other bugs fixed subsystems that are not enabled by default). Our (http : //www. OpenBSD. org/plus33 . html) continued research into security means we will find new security problems -- and we always provide The "ports" tree is greatly improved patches as soon as possible. Therefore, we advise (http ://www. OpenBSD. org/ports, htral) regular visits to http : //www. OpenBSD. org/security, html The 3.3 CD-ROMs ship with many pre-built and packages for the common architectures. The FTP http: //www. OpenBSD. org/errata, html site contains hundreds more packages (for the important architectures) which we could not fit Security patch announcements are sent to the onto the CD-ROMs (or which had prohibitive security-announce@0penBSD, org marling list. For licenses). information on OpenBSD mailing lists, please see:
Many subsystems improved and updated since the last release: http://www. OpenBSD.org/mail.html o Free86 4.2.1 (+ patches). CD-ROM SALES o gcc 2.95.3 (+ patches and ProPolice). OpenBSD 3.3 is also available on CD-ROM. The 3- CD set costs $40USD (EUR 45) and is available via
AUUGN V01.24 o No.2 -12- June 2003 mail order and from a number of contacts around the OpenBSD can be easily installed via FTP. Typically world. The set includes a colorful booklet which you need a single small piece of boot media (e.g., a carefully explains the installation of OpenBSD. A new boot floppy) and then the rest of the files can be set of cute little stickers are also included (sorry, but installed from a number of locations, including our FTP mirror sites do not support STP, the Sticker directly off the Internet. Follow this simple set of Transfer Protocol). As an added bonus, the second instructions to ensure that you find all of the CD contains an exclusive audio track, "Puff the documentation you will need while performing an Barbarian." Lyrics for the song may be found at: install via FTP. With the CD-ROMs, the necessary documentation is easier to find. http://www. OpenBSD.org/lyrics.html#33 1) Read either of the following two files for a list of ftp Profits from CD sales are the primary income source mirrors which provide OpenBSD, then choose one for the OpenBSD project -- in essence selling these near you: CD-ROM units ensures that OpenBSD will continue to make another release six months from now. http: //www. OpenBSD. org/ftp, html ftp: / /ftp. OpenBSD. org/pub / Op enBSD / 3.3 / ftplist The OpenBSD 3.3 CD-ROMs are bootable on the following four platforms: As of May 1, 2003, the following ftp sites have the o i386 3.3 release: o macppc o sparc ftp: / / ftp. ca. openbsd, org/pub / OpenBSD / 3.3 / o sparc64 (UltraSPARC) Alberta, Canada ftp://ftp.usa.openbsd.org/pub/OpenBSD/3.3/ (Other platforms must boot from floppy, network, or Boulder, CO, USA other method). ftp: //ftp7. usa. openbsd, org/pub / os / OpenBSD / 3.3 / West Lafayette, IN, USA For more information on ordering CD-ROMs, see: ftp://openbsd.wiretapped.net/pub/OpenBSD / 3.3 / Sydney, Australia http : //www. OpenBSD. org/orders, html ftp://ftp.kd85.com/pub/OpenBSD/3.3/ Ghent, Belgium The above web page lists a number of places where ftp: //ftp. calyx, nl/pub / OpenBSD/3.3/ OpenBSD CD-ROMs can be purchased from. For our Amsterdam, Netherlands default mail order, go directly to: ftp: //ftp. se. openbsd, org/pub/OpenBSD / 3.3 / https ://https. OpenBSD. org/cgi-bin/order Stockholm, Sweden ftp: //ftp.linux. org.tr/pub / OpenBSD / 3.3 / Turkey or, for European orders:
https ://https. OpenBSD. org/cgi-bin/order, eu Other mirrors will take a day or two to update.
All of our developers strongly urge you to buy a CD- 2) Connect to that ftp mirror site and go into the ROM and support our future efforts. Additionally, directory pub/OpenBSD/3.3/ which contains donations to the project are highly appreciated, as these fries and directories. This is a list of what described in more detail at: you will see:
http://www. OpenBSD.org/goals.html#funding ANNOUNCEMENT ftplist ports.tar.gz Changelogs/ hp300/ root.mail HARDWARE hppa/ sparc/ T-SHIRT SALES PACKAGES i386/ sparc64/ PORTS mac68k/ src.tar.gz README macppc/ srcsys.tar.gz The project continues to expand its funding base by XF4.tar.gz mvme68k/ tools/ selling t-shirts and polo shirts. And our users like alpha/ packages/ vax/ them too. We have a variety of shirts available, with the new and old designs, from our web ordering 3) It is quite likely that you will want at LEAST the system at: following files which apply to all the architectures OpenBSD supports. https ://https. OpenBSD. org/cgi-bin/order README generic README and for Europe: HARDWARE list of hardware we support https ://https. OpenBSD. org/cgi-bin/order, eu PORTS description of our "ports" tree PACKAGES description of pre-compiled packages The OpenBSD S.S and OpenSSH t-shirts are available root.mail a copy of root’s mail at initial login. now! (This is really worthwhile reading).
4) Read the README file. It is short, and a quick FTP INSTALLS read will make sure you understand what else you need to fetch. If you choose not to buy an OpenBSD CD-ROM,
AUUGN Voh24 ~ No.2 - 13 - June 2003 5) Next, go into the directory that applies to your architecture, for example, i386. This is a list of Note: some of the most popular ports, e.g., the what you will see: Apache web server and several X applications, come standard with OpenBSD. Also, many popular ports CKSUM base33.tgz game33.tgz have been pre-compiled for those who do not desire to INSTALL.ata bsd index.txt INSTALL.chs bsd.rd man33.tgz build their own binaries (see PACKAGES, below). INSTALL.dbr cd33.iso misc33.tgz INSTALL.i386 cdrom33.fs xbase33.tgz BINARY PACKAGES WE PROVIDE INSTALL.Iinux comp33.tgz xfont33.tgz INSTALL.mbr etc33.tgz xserv33.tgz INSTALL.os2br floppy33.fs xshare33.tgz A large number of binary packages are provided. INSTALL.pt floppyB33.fs Please see the PACKAGES file MD5 floppyC33.fs ftp : //ftp. OpenBSD. org/pub/OpenBSD/PACEAGES If you are new to OpenBSD, fetch _at least_ the file INSTALL.i386 and the appropriate floppy*.fs or for more details. cd33.iso file. Consult the INSTALL.i386 file if you don’t know which of the floppy images you need SYSTEM SOURCE CODE (or simply fetch all of them). The CD-ROMs contain source code for all the 6) If you are an expert, follow the instructions in the subsystems explained above, and the README file called README; otherwise, use the more complete instructions in the file called f tp : / / ftp. OpenBSD. org/pub/OpenBSD/README INSTALL.i386. INSTALL.i386 may tell you that you need to fetch other files. file explains how to deal with these source files. For those who are doing an FTP install, the source code 7) Just in case, take a peek at: for all four subsystems can be found in the pub/OpenBSD/3.3 / directory: http : //www. OpenBSD. org/errata, html XF4.tar.gz src.tar.gz This is the page where we talk about the mistakes ports.tar.gz srcsys.tar.gz we made while creating the 3.3 release, or the significant bugs we fixed post-release which we THANKS think our users should have fixes for. Patches and workarounds are clearly described there. OpenBSD 3.3 includes artwork and CD artistic layout by Ty Semaka, who also wrote the lyrics and arranged Note: If you end up needing to write a raw floppy an audio track on the OpenBSD 3.3 CD set. Ports using Windows, you can use "fdimage.exe" located in tree and package building by Christian Weisgerber, - the pub/OpenBSD/3.3/tools directory to do so. David Lebel and Peter Valchev. System builds by Theo de Raadt, Henning Brauer, Todd Fries and Miod XF~Er86 FOR MOST ARCHITECTURES Vallat. ISO-9660 filesystem layout by Theo de Raadt. We would like to thank all of the people who sent in XFree86 has been integrated more closely into the bug reports, bug fixes, donation cheques, and system. This release contains XFree86 4.2.1. Most of hardware that we use. We would also like to thank our architectures ship with XFree86, including sparc, those who pre-ordered the 3.3 CD-ROM or bought our sparc64 and macppc. During installation, you can previous CD-ROMs. Those who did not support us install XFree86 quite easily. Be sure to try out xdm(1) financially have still helped us with our goal of and see how we have customized it for OpenBSD. improving the quality of the software. On the i386 platform a few older X servers are Our developers are: included from Xfree86 3.3.6. These can be used for cards that are not supported by Xfree86 4.2.1 or Aaron Campbell, Alexander Yurchenko, Angelos D. where XFree86 4.2.1 support is buggy. Please read Keromytis, Anti Madhavapeddy, Alrtur Grabowski, the /usr/XllR6/README file for post-installation Ben Lindstrom, Bjorn Sandell, Bob Beck, Brad information. Smith, Brandon Creighton, Brian Caswell, Brian Somers, Bruno Rohee, Camiel Dobbelaar, Cedric PORTS TREE Berger, Chad Loder, Chris Cappuccio, Christian Weisgerber, Constantine Sapuntzakis, Dale Rahn, The OpenBSD ports tree contains automated Damien Couderc, Damien Miller, Dan Harnett, instructions for building third party software. The Daniel Hartmeier, David B Terrell, David Krause, software has been verified to build and run on the David Lebel, David Leonard, Dug Song, Eric various OpenBSD architectures. The 3.3 ports Jackson, Federico G. Schwindt, Grigoriy Orlov, collection, including many of the distribution files, is Hakan Olsson, Hans Insulander, Heikki Korpela, included on the 3-CD set. Please see the PORTS file Henning Brauer, Henric Jungheim, Hiroaki Etoh, for more information. Horacio Menezo Ganau, Hugh Graham, Ian
AUUGN Vol.24 ~ No.2 - 14 - June 2003 Darwin, Jakob Schlyter, Jan-Uwe Finck, Jason Ish, Jason McIntyre, Jason Peel, Jason Wright, The Linux System Jean-Baptiste Marchand, Jean-Jacques Bernard- Gundol, Jim Rees, Joshua Stein, Jun-ichiro itojun Administrator’s Hagino, Kenjiro Cho, Kenneth R Westerback, Kevin Lo, Kevin Steves, Kjell Wooding, Louis Bertrand, Marc Espie, Marc Matteo, Marco S Security Guide Hyman, Marcus Watts, Margarida Sequeira, Mark Author: Kurt Seifried
The principal objective of computer security is to protect and assure the confidentiality, integrity, and availability of automated information systems and the data they contain. silicon (http: //csrc.nist.Nov/publications/secpubs / cslaw.txt)
There are numerous definitions for "computer security", and most of them are correct. Essentially computer security means enforcement of usage policies, this must be done since people and software have flaws that can result in accidents, but also because someone may want to steal your information, use your resources inappropriately or simply deny you the use of your resources. Security Policy A security policy is an expression of your organizations security goals. Security goals will vary greatly by organization, for example a software vendor is typically more concerned about the confidentiality and integrity of their source code anything else, while a pornographic website is probably more concerned about processing credit cards online. There is an immense amount of security technology available, from software and hardware to specific techniques and implementations. You cannot properly implement the technology without a solid idea of what your goals are. Do home users connecting to the office need to use VPN software? If your security policy states that all file and print transfers must either be encrypted or sent across a "trusted" network then the answer is [email protected] probably yes. What authentication methods are acceptable for services that can be reached from the Internet? Do you require strong passwords, tokens, biometric authentication, or some combination? The data you collect from remote sites, is it more important that this data is collected, or is it more important that this data remain secret? Data that is remote weather telemetry is probably not as sensitive as credit card numbers.
AUUGN Vol.24 ~ No.2 - 15 - June 2003 users. These are a good compliment to a security Some security policies will need to be exceptionally policy as they set out in concrete terms what a user is broad and general, for example the security policy for or is not allowed to do, and as they are often part of a JANET, the academic backbone network for England contract it allows a provider to enforce their security states: policy when a user attempts to violate it or has violated it. Acceptable Use Policy Privacy policies are interesting in that they are supposed to prevent an organization 9typically a company) from violating some aspects of a user’s security (specifically the confidentiality of their information). Unfortunately the majority of privacy policies contain clauses like "this policy may change at any timewithout warning" or are simply discarded when a company decides to profit off of a user’s information (such as name, address, credit card details, purchase history, etc.). Security is a Process You only need to make one mistake or leave one flaw available for an attacker to get in. This of course means that most sites will eventually be broken into. Witness the effects of Code Red, an Nimda, both of which were hugely successful exploiting well known and long solved vulnerabflities in the Microsoft IIS server. Regularity apply patches (after testing them). Regularly scan your network for open ports. Regularly scan your servers with intrusion testing software such as Nessus. Audit file permissions and make sure there are no unexpected setuid or setgid binaries. Defense in depth All technical security measures will eventually fail or be vulnerable to an attacker. This is why you must On the other hand a security policy can be fine have multiple layers of protection. Firewalls are not grained: enough, you may accidentally forget a rule or leave yourself exposed while reinitializing a ruleset, use tcp_wrappers to restrict access to services as well where possible. Restrict which users can access these services, especially if only a few users need access. Encrypt traffic where possible so that attackers cannot easily snoop usernames and passwords or hijack sessions. Since security measures will fail you Generally speaking the more detailed and technology oriented a also need a strong audit and logging process so that security policy is the harder it will be to follow and keep up to you can later find out what went wrong and how bad date. The actually technical details of implementing a security it is. policy should be separated from it. Keeping a separate set of best Technical Problems practices or an actually "implementation of security policy" These are just a handful of thousands of specific document is a better idea then rolling it all into the security technical problems facing security administrators. policy. Network Connectivity Acceptable Use Policy One of the biggest security challenges is the increase Another component of computer security is an AUP in network connectivity. If you have a machine that is (Acceptable Use Policy). This is a document that sates not connected to any other machines an attacker will what a user of your resources may or may not do with generally need to gain physical access. This of course them. Typically it is part of a contract and is signed at greatly narrows down the number of attackers. the time when the services are purchased. Many However with everything connected to the Internet there are over 100 million people that can potentially acceptable use policies generally forbid actions that get into your machine. are illegal, potentially annoying to other people (and hence likely to cause problems for the provider in the Insecure defaults form of complaints) or are controversial (such as This is one of the problems that has caused no end of pornography). Other standard clauses include "this security problems since day one. Vendors typically notice may change at any time without warning" and ship their operating systems with insecure defaults "we can terminate your service (or fire you) at any (i. e. finger, telnet, ftp, etc.) meaning that time without warning if you violate this policy. administrators must expend a lot of effort to close Generally speaking the majority of AUP’s are security problems before they can even start to pro- reasonable and will not be a problem for normal actively secure their systems and networks.
AUUGN Vol.24 ~ No.2 - 16 - June 2003 Legitimate access vs.s a break in Installing physical monitoring devices such as Because you must grant legitimate users access to KeyGhost resources there is always the potential for attackers Stealing the system’s disk(s) to gain access. Attacker can guess authentication Unplug the server, or turn the power bar off (a credentials (i.e. weak passwords), steal them very effective DOS), if done several times this (password sniffing), exploit flaws in the server itself can lead to filesystem corruption. and so on. Minimizing access and privilege These are just a few of many possible attacks. The When possible restrict access. If you do not need to primary goal is to stop them where possible, and run fingerd turn it off and remove it. An attacker failing that slow them down so that hopefully cannot exploit fingerd ff it isn’t present. Keep users off someone will notice the attacker tearing apart a of servers if possible, if they need shell accounts for system in someone’s office. The installation of some reason setup a separate system and partition it monitoring devices is becoming especially worrisome, off from the rest of your network. Lock down as they are now available for purchase online for less workstations where possible, set BIOS passwords, then $100. An attacker can easily log all keystrokes secure the boot sequence, do not give them for a long time period before the attacker comes back administrative access. to retrieve them. Periodic physical inspections (in teams of two) of user machines for items like (This section was sponsored by Vigilante KeyGhost, modems are so on are a good idea. http://www.viigilante.com) Gaining access to office buildings is often trivial. ]PHYSICAL AND CONSOLE SECURITY While working for the government there was no access control to the building itself from 8 A.M. until While the majority of random and remote attacks 5 P.M. (after 5 P.M. a security guard forced you to sign in). Worse yet the building had a back entrance come in over the network physical and console that was not monitored. If you were to enter at 4:30 security are important factors. In a perfect world every machine would be physically secure with access P.M., hide in a bathroom for an hour or two (crouched to the console (i.e. keyboard, reset switch and on top of a toilet reading the latest Linux Journal) you monitor) tightly controlled. Unfortunately this is not a could easily spend several hours fiddling with desktop systems and leave at your convenience without being perfect world it is rare to find a physically secure seen by anyone. Cleaning staff also never questioned machine outside of a server room. me when I stayed late (and conversely I never Physical security questioned them), you should train staff to approach Remember that an attacker may not want to break into your desktop machine or network, they may be people they do not recognize and ask them politely if looking for a quick way to make $200, and stealing a they need assistance or are lost. While access to buildings cannot often be controlled effectively (to desktop computer is one way to do that. All systems many entrances / different tenants / etc.) you can should be securely fastened to something with a cable control access to your floor, a locked door with a system, or locked in an equipment cage if possible. CCTV monitoring it after hours is often a good Case locks should be used when possible to slow deterrent. attackers down (thefts of ram and CPU’s are becoming increasingly popular). Some systems, like "Practical Unix and Internet Security" from O’Reilly Apple G4’s, when cable locked cannot be opened, if covers physical problems as well and is definitely you need machines for public areas features like this are ideal. For secure rooms make sure that the walls worth buying. go beyond the false ceiling, and below the raised floor, Console security large vents should also be covered with bars ff With physical access to most machines you can possible. Monitoring the room with CCTV and possibly requiring a remote person to "buzz" you in (in simply reboot the system and ask it nicely to launch addition to a lock, keypad or other access control into single user mode, or tell it to use/bin/sh for init. device) is recommended. You can enter the BIOS and tell the machine to boot from a floppy, doing a quick end run around most With enough time and physical access an attacker security. Alternatively you can simply enter the bios, will be able to gain access to the system, several disable the IDE controllers, put a password on the methods of attack include: BIOS, rendering the machine largely unusable. BIOS / Open Firmware security Rebooting the system from other media such Assuming the attacker does not steal the entire as floppy disk, CD-ROM, external SCSI drives machine the first thing that they will usually try is to reboot the system and either boot from a floppy disk and so on (or other removable media). If they can do this then Removing the case, and removing the BIOS any standard file protection is useless, the attacker battery to get around any BIOS restrictions declares themselves to be root, mounts the filesystem Using a default BIOS password to gain access and gains complete access to it. to the BIOS Rebooting the system and passing boot To secure a x86 BIOS you typically enter it by hitting arguments to LILO "delete" or a function key during the boot process, the
AUUGN Vol.24 ~ No.2 17 - June 2003 actual name and location of the BIOS password varies from the default of none to command at the very significantly, look for "security" or "maintenance". least, and full if you are security conscious (warning, There are usually different levels of password you will need the password to boot the machine). protections, on some motherboards you can disable the keyboard until a password is typed in (the BIOS intercepts and blocks input until it sees the password ok password i ....~ entered on the keyboard), on others it only prevents ok New password (only fif~ ~8 ChagS are used) :***** accessing the BIOS. Generally speaking you want to ok Retype new password: ***~* ¯ ..... ~ i block access to the BIOS, and lock the boot sequence ok ~ . ~ ~ Ok ~seten9 security-mode full i ~:i~i ~ to the first internal storage device (i.e. the first IDE disk or SCSI).
Even f you do everything right there are still some You can also set "security-mode" to "command" which ways for an attacker to subvert the boot process. will require the password to access the open firmware Many older BIOS’s have universal passwords, but is less strict then "full". Do not lose this generally speaking this practice has declined with password, especially f you set the security-mode to modern systems, but you may wish to inquire with full, as you may need to replace the PROM to recover the vendor. Another potential problem to be aware of the system. You can wipe the password by setting is that many add-on IDE and SCSI controller cards "security-mode" to "none". have their own BIOS, from which you can check the status of attached devices, choose a boot device, and Unfortunately f you are using Apple hardware you in some cases format attached media. Many high-end cannot secure the boot process in any meaningful network cards also allow you to control the boot manner. While booting f the user holds down the sequence, letting you boot from the network instead command-option-P-R keys it will wipe any settings of a local disk. This is why physical security is critical that exist, there is no way to avoid this. About the for servers. Other techniques include disabling the only security related option you can set is whether floppy drive so that attackers or insiders cannot copy the machine automatically reboots or not, this is information to floppy and take it outside. You may useful for servers to prevent a remote attacker from also wish to disable the serial ports in users changing the kernel for example (which require a machines so that they cannot attach modems, most system reboot). Hold down the command-option-O-F modern computers use PS/2 keyboard and mice, so keys to access the OpenFirmware and from there you there is very little reason for a serial port in any case need to: (plus they eat up IRQ’s). Same goes for the parallel port, allowing users to print in a fashion that bypasses your network, or giving them the chance to attach an external CD-ROM burner or harddrive can decrease security greatly. As you can see this is an extension of the policy of least privilege and can LILO Security decrease risks considerably, as well as making LILO is the Linux boot loader, it handles all the nitty network maintenance easier (less IRQ conflicts, etc.). gritty tasks of getting the kernel into memory and There are of course programs to get the BIOS bootstrapping them machine into something that password from a computer, one is available resembles a useful computing device. LILO handles http://www.c~, it is available for DOS many things, from telling the kernel to look for and Linux. multiple network cards to how much memory there is (assuming Linux won’t detect how much your system If you decide to secure the BIOS’s on systems you has). There are several options you can pass to LILO should audit them once in a while f possible, simply to bypass most any account security or console reboot the machine and try to boot off of a floppy disk security. or get into the BIOS. If you can then you know someone has changed settings on the system, and Booting Linux into single user mode with (assuming while there may be a simple explanation (a careless the label is "linux")’ technician for example) it may also be your first warning that an attack has occurred. There are boot: linux single several programs for Linux that allow an attacker with root access to gain the BIOS password, while this is a rather moot point it does bear mentioning (if This will dump you into a root level command prompt an attacker has gained root access they can already on many systems. From there you can simply add a do pretty much anything). new users with UID 0, format the disks or copy Trojan’ed binaries off a floppy disk. One way many To secure a Sparc or UltraSparc boot prom send a vendors deal with this is by using sulogin, single user break during boot-up, hit stop-a, and you should be login, which prompts for root’s password before presented with the ok> prompt. Setting your letting you on. This will prevent people from accessing password is a simple matter of using the password single user mode and getting directly to a root prompt command and typing the password in twice. You will however there is a another attack. You can specify then want to set the security-mode, using "setenv" which program will be used to init the system, instead
AUUGN Vol.24 ~ No.2 18 - June 2003 image~:/boot/vmlinuz.2.2.17 of the default init you can use a command shell: label=linux-old root=idev/!h~al ...... boot: linux single init=/bin/sh p~ssword=thisisapasswor4 . . restricted ¯
Which will present you with a root prompt. The best way to defeat this and the single mode problem are to The above example will prevent attackers from secure LILO and prevent the passing of boot messing with the "linux" and "linux-old" image, arguments without a password. Many people argue however if they need to boot the old kernel (because a that this somehow inhibits normal use of the system, driver is broken, or SMP support doesn’t work quite however there should be no need normally for the right) then they will not need the password to do so. user booting the system to pass LILO arguments (f an argument is needed at boot time it should be put Depending on the level of security you want you can into lilo.conf permanently). Generally speaking the either restrict and password protect all of LILO, or only time you will need to pass LILO arguments is just the individual images. In any event if you are when something on the system breaks, at which point deploying workstations or servers you should use one it’s probably wise to send out a technician who knows to prevent users from breaking into systems in less the password to fix the system. than 10 seconds. While things like sulogin will prevent a user from getting a root prompt if they enter To secure LILO you must set a password, and use the single user mode the attacker can always use restricted keyword. You can also set security on a per "init=/bin/sh". image basis, or on LILO as a whole. If you set security on a per image basis you will be able to tell LILO One minor security measure you can take to secure which image you wish to boot without needing a the lilo.conf file is to set it immutable, using the password, but you will not be able to pass the kernel "chattr" command. To set the file immutable simply arguments such as "single". If you set security on run the following command as root: LILO as a whole then you will only be able to boot to the default image, specifying a different image will require the password.
And this will prevent any changes (accidental or boot=ide~/hda ~ map=/boot/map ...... " ! ¯ ~ otherwise) to the lilo.conf file. If you wish to modify in~ili=/boot/boot, b : " the lilo.conf file you will need to unset the immutable flag run the following command as root:
only the root user has access to the immutable flag. Grub security Grub is the default boot loader in Debian, Mandrake and possibly Red Hat 7.2. More on this to come.
[Ed’s Note: Debian Woody (current release) uses Lilo. Mandrake > 8 uses Grub. RedHat > 8 gives you a choice but will default to Grub. Mandrake and Redhat give you an opportunity to enter a Grub password in their installers.] This can be cumbersome, however it does prevent Rebooting the system attackers from booting a different image. If possible you should make rebooting the system more difficult, by default a!most all Linux boot:/deZ/!hda distributions have ctrl-alt-del enabled so that it map:/boot/map install=/boot/boot.b reboots the machines. However, unlike Windows, this prompt, is not necessary. In Linux you can easily control the timeout=50 behavior of ctrl-alt-del, simply by editing the meSlsage=/boot/message /etc/inittab file: linear ’ " default=linux ...... image=/boot/Vm~!i.n~z=2.2.18 ca::ctrlaltdel:/sbin/shutdown -t3 -r now label~ii!~ read’only root=/deg/hdal password~thisisapassword You may wish to disable it entirely (simply comment it restricted out with a #) or modify the command issued. Minimally you can create a bash script such as:
AUUGN Vol.24 ~ No.2 19 - June 2003 To: arch@freebsd.org #!/bin/bash Subject: 5-STABLE Roadmap # # This script emails a message to root and then shuts # down the system after a 5 second delay # Thanks to the hard work of everyone, FreeBSD 5.0 /bin/date I ibin/mail-s "ctr~-alt-del used" root became a reality and is working better than most even /bin/sleep 5s /sbin!shutdown -t3 -r now hoped. However, there is still a lot of work to be done before we can create the RELENG_5/5-STABLE Now every time someone hits ctrl-alt-del you will have branch and declare success. Below is a document an email message in root’s account logging it. You can that I have drafted with the input and review of the also send that email to another system (i.e. to Release Engineering Team, the Technical Review [email protected]). If you do this you may wish to Board, and the Core Team that defines what needs to introduce a small delay between the mail command be done in order to reach 5-STABLE. I’m happy to and the shutdown command to ensure the email gets take further input into this, and I will also mark it up out before the mail system is turned off. Of course an and make it available online. attacker can always hit the reset switch, power button, unplug the system, or trip the breakers for an 1 ¯ INTRODUCTION AND BACKGROUND entire floor of computers. If the system is in a locked After nearly three years of work, FreeBSD 5.0 was cabinet however this is quite a bit more conspicuous released in January of 2003. Features like the GEOM then simply using a three finger salute (ctrl-alt-del) to block layer, Mandatory Access Controls, ACPI, reboot the system. sparc64 and ia64 platform support, and UFS Summary snapshots, background filesystem checks, and 64-bit An attacker with physical access to the console, or inode sizes make it an exciting operating system for worse yet the hardware itself has many potential both desktop and production users. However, some avenues of attack they can pursue. Worse yet f their important features are not complete. The foundations goal is to simply deny use of service, or damage the for fine-grained locking and preemption in the kernel software and hardware doing so is trivial. Flipping the exist, but much more work is left to be done. Work power off and on during the boot process will often on Kernel Schedulable Entities, also known as result in drive corruption, or they can simply pour a Scheduler Activations, has been ongoing but needs a glass of water into the power supply. Locking servers push to realize its benefit. Performance compared to up in secure rooms is critical, a competitor can easily FreeBSD 4.x has declined and must be restored and afford to pay a janitor several thousand dollars to surpassed. turn a server off, and pour pop into the power supply, resulting in a dead server when staff turns it back on. This is somewhat similar to the situation that Workstations are typically more vulnerable as they FreeBSD faced in the 3.x series. Work on 3-CURRENT are in accessible areas, but hopefully they are trudged along seemingly forever, and finally a cry was interchangeable with another workstation, with all made to ’just ship it’ and clean up later. This decision data being stored on servers. resulted in the 3.0 and 3.1 releases being very unsatisfying for most, and it wasn’t until 3.2 that the To be continued... series was considered ’stable’. To make matters worse, the RELENG_3 branch was created along with This article is re-printed with permission. The originals the 3.0 release, and the HEAD branch was allowed to can be found at: advance immediately towards 4-CURRENT. This resulted in a quick divergence between HEAD and RELENG_3, making maintenance of the RELENG_3 The Roadmap for branch very difficult. FreeBSD 2.2.8 was left for quite a while as the last production-quality version of FreeBSD 5oStable FreeBSD. Author: Scott Ling
AUUGN Vol.24 ~ No.2 - 20 - June 2003 latency. Work is ongoing to implement lazy context 2o I~[AJOR ISSUES switching on all platforms. Fine grained locking of drivers will also help this, as will converting drivers to The state of SMPng and kernel lockdown is the be as efficient as possible in their interrupt routines. biggest concern for 5.x. To date, few major systems have come out from under the kernel-wide mutex Next, the state of KSE must resolved for RELENG_5. known as ’Giant’. The SMP status page at Work on it has slowed noticeably in the past 6 http : //www. FreeBSD. org/stop provides a months but appears to be picking up again. There are comprehensive breakdown of the overall SMPng a number of issues that must be addressed: status. Status specific to SMPng progress in deivce Signal delivery to threads is not defined. Signals drivers can be found at at are delivered to the process, but which thread http : //www. FreeBSD. org/proj ects/busdma. actually receives it is random. o There is confusion over whether upcalls are In summary: generated on every system call or when a thread blocks. The former is highly undesirable and needs VM - the kmem_malloc(M_NOWAIT) path no longer to be investigated. needs Giant held. The kmem_malloc(M_WAITOK) o The userland threading library, currently called path is in progress and is expected to be finished libkse, is incomplete and has not been used for in the coming weeks. Other facets of the VM any significant threaded application. system, like the vfs interface, buffer/cache, etc, o KSE has the potential to uncover latent race are largely untouched. conditions and create new ones. An audit needs to GEOM - The GEOM block layer was designed to be performed to ensure that no obvious problems run free of Giant, but at this time no block drivers exist. can run without Giant. Additionally, it has the potential to suffer performance loss due to its According to the release schedule below, KSE kernel upcall/downcall data paths happening in kernel and userland components must be functionality threads. Lightweight context switches might help complete by June 2003 in order to be included in the this. RELENG_5 branch. For security and stability Network - Work is in progress to lock the TCP and reasons, ff KSE cannot be finished in time then, by UDP portions of the stack. This also includes default, all KSE-specffic syscalls should be modified locking the routing tree, ARP code, and faddr and to return ENOSYS and all other KSE-specific inet data structures. RawlP, IPv6, Appletalk, etc, interfaces disabled. Deprecating KSE from RELENG_5 have not been touched. Locking the socket layer is but keeping it in the HEAD branch will pose problems in progress but is largely untested. None of the in porting bugfixes and features between the two hardware drivers have been locked. branches, so every effort should be made to finish it VFS - Initial pre-cleanup started. on time. buffer/cache - Initial work complete. Proc - Work on locking the proc structure was ongoing for a while but seems to have stalled. 3, GOALS FOR 5-STABLE CAM - No significant work has occurred on the The goals for the RELENG_5 branch point are: CAM SCSI layer. o All subsystems and interfaces must be mature Newbus - some work has started on locking down enough to be maintainable for improvements and the device t structure. bug fixes -- o Pipes - complete with the exception of VM-related equal or better stability from FreeBSD 4.8. optimizations. o no functional regressions from 4.8. It is important File descriptors - complete. to make sure that users do not avoid upgrading to Process accounting -jails, credentials, MAC labels, 5.x because of lost functionality. o and scheduler are out from under Giant. performance on par with FreeBSD 4.8 for most MAC Framework - complete common operations. Both UP and SMP Timekeeping - complete configurations should be evaluated. SMP has the kernel encryption - crypto drivers and core crypto potential to perform much better than 4.x, though framework are Giant-free. KAME IPsec and FAST for the purposes of creating the RELENG_5 IPSec have not been locked. branch, comparable performance between the two Sound subsystem - complete should be acceptable. kernel preemption - preemption for interrupt It is unrealistic to expect that the SMPng project will threads is enabled. However, contention due to Giant covering much of the kernel and most of the be fully complete by RELENG_5, or that performance will be significantly better than 4.x. However, focusing device driver interrupt routines causes excessive on a subset of the outstanding tasks will give enough context switches and might actually be hurting benefit for.the branch to be viable and maintainable. performance. Work is underway to explore ways to To break it down: make preemption be conditional. o ABI/API/Infrastructure stability Enough infrastructure must be in place and stable to allow Another issue with SMPng is interrupt latency. The fixes from HEAD to easily and safely be merged overhead of doing a complete context switch to a kernel interrupt thread is high and shows noticeable into RELENG_5. Also, we must draw a line as to
AUUGN Vol.24 ~ No.2 - 21 - June 2003 what subsystems are to be locked down when we http ://www. freebsd, org/doc/en_US. IS... uide/archs go into 5-STABLE. ¯ html. SMPng busdma interface and drivers - architectures like VM - Most codepaths, others than the ones that PAE/i386 and sparc64 which don’t have a direct interact with VFS, should be Giant-free for mapping between host memory address space and RELENG_5. expansion bus address space require the elimination for vtophys0 and friends. The busdma Network - Taking the network stack out from interface was created to handle exactly this under Giant poses the risk of uncovering latent problem, but many drivers do not use it yet. The bugs and races. Locking it down but not removing busdma project at Giant imposes further performance penalties. A http : //www. FreeBSD. org/proj ects/busdma/index, htm decision on whether to continue with locking the 1 tracks the progress of this and should be used to network layers, and whether they should be free determine which drivers must be converted for from Giant for RELENG-- 5 should be made no later RELENG_5 and which can be left behind. Also, than March 15. If the decision is made to allow the there has been talk by several developers and the locking to go forward, the IPv4, UDP, and TCP original author to give the busdma interface a layers should be free of Giant. IPv6 and the socket minor overhaul. If this is to happen, it needs to layers would be nice to have also, though it should happen before RELENG_5. Otherwise, differences be investigated whether they can be safely locked between the old and new API will make driver down in 5.x after the RELENG-- 5 branch. If the maintenance difficult. decision is to keep the network stack under Giant PCI resource allocation - PC2003 compliance for the branch, then an investigation should be requires that x86 systems no longer configure PCI made to determine if the present locking work can devices from the system BIOS, leaving this task be reverted and deferred to 6-CURRENT. solely to the OS. FreeBSD must gain the ability to Having a Giant-free path from the the TCP/IP manage and allocate PCI memory resources on its layers to the hardware should be investigated as it own. Implementing this should take into account could allow significant performance gains in the cardbus, PCI-HotPlug, and laptop dockstation network benchmarks. If this can be achieved then requirements. This feature will become the hardware interface layer needs to allow for increasingly critical through the lifetime of drivers to incrementally become free of Giant. RELENG_5, and therefore is a requirement for the Locking down at least two Ethernet drivers would RELENG_5 branch. be highly desirable. If the semantics are too complex to have the stack free of Giant but not the Most performance gains hinge on the progress of hardware drivers, investigation should be done SMPng Areas that should be concentrated on are: into making it configurable. Lesser-used network stacks like netatlk, netipx, Storage I/O - I/O performance suffers from two etc, should not break while this work is going on. problems, too many expensive context switches, However, locking them is not a high priority. and too much work being done in interrupt GEOM - At least 2 block drivers should be locked threads. Specifically, it takes 3 context switches in order to demonstrate that others can also be for most drivers to get from the hardware locked without changing the interface to GEOM. completion interrupt to unblocking the user The ATA driver is a good candidate for this, though process: one for the interrupt thread, one for the caution should be taken as it is also extremely GEOM g_up thread, and one to get back to the high-profile and any problems with it will affect user thread. Drivers that attempt to be efficient nearly all users of FreeBSD. and quick in their interrupt handlers (as all should Lazy context switching - sparc64 is the only be) usually also schedule a taskqueue, which adds platform that performs lazy context switching a context switch in between the interrupt thread when entering the kernel. The performance gains and the g_up thread and brings the total up to 4. promised by this are significant enough to require Two things need to be done to attack this: that it be implemented for all other Tier 1 o make all drivers defer most of their processing platform~. out of their interrupt thread. Significant KSE - The kernel side of KSE must be functionally performance gains have been shown recently in complete and have undergone a security audit. the aac(4) driver by making its interrupt libkse must be complete enough to demonstrate a handler be ’INTR_MPSAFE’ and moving all real-world application running correctly on it processing to a taskqueue. using the standard POSIX Threads API. Examples o investigate eliminating the taskqueue context would be apache 2.0, squid, and/or mozilla. A switch by adding a callback to the g_up thread functional regression test suite is also a that allows a driver to do its interrupt requirement for RELENG_5 and should test signal processing there instead of in the taskqueue. delivery, scheduling, performance, and process Network - Network drivers suffer from the security/credentials for both KSE and non-KSE interrupt latency previously mentioned as well as processes. KSE kernel and userland components from the network stack being partially locked must also reach the same level of functionality for down but not free from Giant. Possible strategies all Tier-1 platforms in both UP and SMP for addressing this are described in the previous configurations. The definition of ’Tier-1 platforms’ section. can be found at
AUUGN Vol.24. No.2 - 22 - June 2003 Other locking - XXX ? processor affinity, HyperThreading and KSE Benchmarks and performance testing - Having a awareness, and no regressions in performance or source of reliable and useful benchmarks is interactivity characteristics must be available for essential to identifying performance problems and RELENG_5. guarding against performance regressions. A sparc64 local console - neither syscons nor vt ’performance team’ that is made up of people and work on sparc64, leaving it with only serial and resources for formulating, developing, and ’fake’ OFW console support. This is a major executing benchmark tests should be put into support hole for what is a Tier 1 platform. Whether place soon. syscons can be shoe-horned in or wscons be adopted from NetBSD is up for debate. However, Comparisons should be made against both FreeBSD sparc64 must have local console support for 4.x and Linux 2.4.x. Tests to consider are: RELENG_5. Having this will also allow the XFree86 server to run, which is also a requirement the classic ’worldstone’ for RELENG_5. webstone - /usr/ports/www/webstone gcc/toolchain - gcc 3.3 might be available in time Fstress - http ://www. cs. duke. edu/ari/fstress for RELENG_5 and might offer some attractive ApacheBench - /usr/ports/www/pS-ApacheBench benefits, but also likely to introduce ABI netperf- /usr/ports/benchmarks/netperf incompatibility with prior gcc versions. ABI compatibility should be locked down for the Features: RELENG_5 branch. There has also been a request to move /usr/include/g++ to /usr/include/g++-v3 to be ACPI - Intel’s ACPI power management and device more compliant with the stock behavior of gcc. configuration subsystem has become an integral This should be investigated for RELENG_5 also. part of FreeBSD’s x86 and ia64 device gdb - gdb from the base system should work for configuration model. However, many bugs exist in Intel’s vendor code, our OS-specffic code, and sparc64. It should also understand KSE thread semantics, assuming that KSE is included in the motherboard BIOSes, causing many ACPI-enabled RELENG_5 branch, gdb 5.3 is available and there systems to fail to boot, misdetect drivers, and/or have many other problems. Fixing these problems are reports that it should address the sparc64 seems to be an uphill battle and is often times issue. causing a poor first-impression of FreeBSD 5.0. disklabel(8) regressions - The biggest casualty of Most x86 systems can function with ACPI the introduction of GEOM appears to be the disabled, and logic should be added to the disklabel utility. The ’-r’ option gives unpredictable bootloader and sysinstall to allow users to easily results in most cases now and should be removed and intuitively turn it off. Turning off ACPI by or fixed. Work is planned for a new unified default is prone to problems also as many newer interface for modifying labels and slices, however systems rely on it to provide correct interrupt this should not preclude disklabel from being routing information. Also, a centralized resource fixed. should be created to track ACPI problems and solutions. Linux uses the same Intel vendor Documentation: sources as FreeBSD, so we should investigate how they have handled some of the known problems. The manual pages, Handbook, and FAQ should be NEWCARD / OLDCARD - The NEWCARD free from content specific to FreeBSD 4.x, i.e. all subsystem was made the default for 5.0. text should be equally applicable to FreeBSD 5.x. Unfortunately, it contains no support for non- The installation section of the handbook needs the Cardbus bridges and falls victim to interrupt most work in this area. routine problems on some laptops. The classic 16- The release documentation needs to be complete bit bridge support, OLDCARD, still exists and can and accurate for all Tier 1 architectures. The be compiled in, but this is highly inconvenient for hardware notes and installation guides need users ~f older laptops. If OLDCARD cannot be specific attention. completely deprecated for RELENG_5, then If FreeBSD 5.1 is not the branch point for provisions must be made to allow users to easily RELENG_5 then the Early Adopters Guide needs install an OLDCARD-enabled kernel. to be updated. This document should then be Documentation should be written to help trasition removed just before the release closest to the users from OLDCARD to NEWCARD and from RELENG_5 branch point. ’pccardd’ to ’devd’. The power management and ’dumpcis’ functionality of pccardc(1) needs to be 4. ~CHEDULE brought forward to work with NEWCARD, along with the ability to load CIS quirk entries. Most of If branching RELENG_5 at the 5.1 release is this functionality can be integrated into devd and paramount, 5.1 will probably need to move out by at devctl. least 3 months. The schedule would be: New scheduler framework - The new scheduler o Jun 30, 2003 - KSE and SMPng feature freeze framework is in place, and users can select o Aug 4, 2003 - 5.1-BETA, general code freeze between the classic 44bsd scheduler and the new o Aug 18, 2003 - 5.1-RC1, RELENG_5 and ULE scheduler. A scheduler that demonstrates
AUUGN Vol.24, No.2 - 23 - June 2003 RELENG 5 1 branched down someone else grabs your address) the email is Aug 25, 2003 - 5.1-RC2 delivered to the machine that your old address was Sept 1, 2003 - 5.1-RELEASE allocated to --- and bounces.
Taking an incremental approach might be more In addition, my current ISP blocks port access to the beneficial. Releasing 5.1 in time for USENIX ATC SMTP port, so there’s no point in running a mailer 2003 will provide a wide audience for productive daemon directly accessible from the internet. feedback and will keep FreeBSD visible. In this scenario, 5.1 should offer a significant improvement LIVING WITH THE PROBLEM over 5.0 in terms of bug fixes and performance. Lockdowns and improvements to the storage The simplest thing to do is just to live with the subsystem and scheduler should be expected, the problem. Advertise the email address you got from NEWCARD/OLDCARD issues should be addressed, your ISP, and use IMAP or whatever to read your and all known bugs and regressions from the 5.0 email. errata list should be fixed. KSE and other SMPng tasks that cannot finish in time for 5.1 should also However, this defeats the purpose of having your own not reduce the stability of the release. The schedule domain, and means that when you change your ISP, for this would be: or your ISP changes the addresses on you, you have o May 5, 2003 - 5. I-BETA, general code freeze to tell everyone the new domain name. ° May 19, 2003 - 5.1-RC1, RELENG 5 1 branched ¯ May 27, 2003 - 5.1-RC2 ¯ Jun 2, 2003 - 5. I-RELEASE Tram) PARTY HOSTING SERVICES ° Jun 30, 2003 - KSE and SMPng feature freeze o Sept 1, 2003 - 5.2-BETA, general code freeze There are any number of third party email hosting o services --- Hotmail, Yahoo! Mail, etc., etc. Most will Sept 15, 2003 - 5.2-RC1, RELENG-- 5 and RELENG 5 2 branched not host your entire domain’s email for free, although o Sept 22, 2003 - 5.2-RC2 some are fairly cheap. o Sept 29, 2003 - 5.2-RELEASE The one I’ve found to be best is fastmail.fm an Australian company whose entire business is 5o POST RELENG --5 DIRECTION handling outsourced emafl. They’ll do low volume As with all -STABLE development streams, the focus marl handling for free; and for slightly more will host should be bug fixes and incremental improvements. your entire email requirements. dust like normal, everything should be vetted through the HEAD branch first and committed to RELENG_5 USING MAmFORWARD AND ZONEEDIT with caution. As before, new device drivers, incremental features, etc, will be welcome in the If your emafl requirements are small (less than 200M branch once they have been proven in HEAD. per year, only a few addresses), and you host your DNS with zoneedit.com, then you can set up a poor- Further SMPng lockdowns will be divided into two man’s MTA as follows: categories, driver and subsystem. The only subsystem that will be sufficiently locked down for RELENG_5 Set up exim or whatever behind your firewall, to will be GEOM, so incrementally locking down device do local deliveries as you wish. drivers under it is a worthy goal for the branch. Full subsystem lockdowns will have to be fully tested and proven in HEAD before consideration will be given to Set up a free IMAP account (for example with merging them into RELENG_5. fastmail.fm for each local address. The names can be random gibberish, as end users are never going This article is re-printed with permission. The originals to see them. can be found at: Set up a MailForward for each user at http: / / www. bsdforums, org /forums / showthread.php ? zoneedit.com to point each to a different free IMAP threadid=6892 account. Set up fetchmail to poll the IMAP accounts at 15 minute intervals and give the result to the local lYla l and Dynamic IF smtp server. Author: Peter Chubb
AUUGN Vol.24, No.2 - 24 - June 2003 options no rewrite !fetchalilii:i My home domains now all use mailhost.com.au and user ’XYZ890’ there wihh passw0rd iii ’PASSWORD’ is.,user2’ here ODMR for marl, and ZoneEdit.com for DNS. I’m still optiohs no rewrite fetchall looking for a free web host that can do PHP, CGI and MySQL.
You could of course configure fetchmail in multidrop Mailhost.com.au isn’t yet up for commercial access; mode, and deliver all email for your domain to one I’ve been told that that’s coming soon. In the emafl account (the one provided by your ISP, meantime, their beta program is open; contact Gavin perhaps). And it’s a good idea to do this as a catchall. Carr ([email protected]) for details.
pop-server.~ic.bigpond.net.au aka mai.l.d~s~r..�0mTW~:thprot~ .POP3~ and options ...... no dns envel0pe3 ,,Received" localdomainsYourDomain.id.au user. ’pchubb there with. p&ssword De ec ion Sys em ’PassWord’~il~ i tO pchubb@big~0~di:~het~iaU=p~tle~:tll* here Part I Author: Klaus M011er
The main disadvantage is that spare filtering is a little Basically, there are the following three areas: harder; you can’t set up a tarpit or bounce detected spam straight away, because all email is relayed via Information Sources your mail host. Response
AUUGN Vol.24 ~ No.2 - 25 - June 2003 Analysis NETWOm~ INT.VSION ]DETECTION (NIDS)
Response and Analysis is covered again more The main task of a Network IDS is the analysis and precisely later, the different kinds of "Information interpretation of packets transferred over the Sources" right now. Because of the extensive network. Signatures are used to examine packets for possibilities to attack a PC or a network there are "conspicuous" content like e.g. /etc/passwd. We will different kinds of IDS (of course, they can be discuss this in the course of the article. Mostly, so combined with each other) which basically differ in called sensors (often single hosts) are used which do the points where they control and what they control nothing except analyze traffic and f necessary start (Information Sources). an alarm. As this is their only task it is possible to secure those sensors better. In this context there HOST - ]~ASED INTRUSION DETECTION exists often the so called "Stealth Mode", i.e., the sensors act "invisible" so that it is more difficult for Host-Based Intrusion Detection Systems analyze the attacker to localize or attack them. information on a single host. As they normally do not look at the whole network traffic but "only" at the "Stealth mode can be used for network sensors to activities on the same host they are able to make make the promiscuous mode network interface card more precise statements about the kind of attack. In (NIC) invisible because it simply doesn’t have an IP addition, you can see directly the impact on the address in this mode. This is achieved by using a particular PC. E.g that a specific user started an separate NIC in each network sensor machine to attack successfully. Host-based IDSs use mostly two communicate with the console over, usually, a different sources to provide information about physically isolated secure network. Stealth mode activities: system logs and operating system audit makes it more difficult for a hacker to attack the trails. Both have advantages and disadvantages as network sensor itself." operating system audit trails are more exact, detailed and can give better information about activities while This paragraph (taken from the description for system logs mostly deliver only the most important RealSecure) clarifies again what a sensor in Stealth information and are therefore considerably smaller. Mode is. The sensor switches into promiscuous mode System logs can be controlled and analyzed better (simply put: the mode in which the network device because of their size. reads the whole network traffic) and has no own IP. With this it should be made as difficult as possible for Advantages: the attacker to localize the sensor. By the way, this is o you "see" the impact of an attack and can react the mode used by packet sniffers like tcpdump... better on it o you can recognize Trojan horses etc. better as the Basically, you can use sensors in following areas: available information/p ossibflities are very extended Within the firewall (simplified): o you can detect attacks which cannot be detected by Network based IDS because traffic is often encrypted ° you can observe activities on your host exactly
Disadvantages: ° they are not good in recognizing scans o they are more vulnerable to DoS attacks o the analysis of operating system audit trails is very time-consuming because of its size. o they stress the host’s CPU performance (partly) immensely
Examples: o Tripwire This diagram shows only one possible solution and http: //www. tripwire, com/pro ducts/index, cfml shall only clarify that the sensors are not between ° SWATCH DMZ and firewall. If the expression DMZ is unknown http: / /freshmeat. net/redir/swatch/10125/url_ho to you: it stands for DeMilitarized Zone and is an area mepage/swatch which is secured from all sides. o DragonSquire http: //www. enterasys, com/ids / squire / If sensors are within the firewall it is easier for them ° Tiger to decide if a firewall was eventually configured http://freshmeat.net/redir/tiger-audit/30581/url improperly and in addition you get to know if a _homepage/tiger potential attack came through the firewall or not. o Security Manager According to experience, sensors create less false h.ttp: //www. netiq, corn/products / sm / default, asp positives as they act "less inconspicuously" and therefore traffic is less (~vhereby the probability of a
AUUGN Vol.24, No.2 - 26 - June 2003 false alarm drops), the impacts of an attack
Sensors placed within a firewall serve as intrusion Examples: detection. Should your sensor fulfill this task you ¯ NetRanger [http://www.cisco.com] should then put it within the firewall ... o Dragon [http: //www.securitywizards.com] o NFR [http://www.nfr.netl Outside the firewall (simplified)" o Snort [http://www.snort.org] o DTK [http://all.net/dtk/dtk.htmll o ISS RealSecure [http: //www. uh. edu/infotech / software/unix/reals ecure/index.html]
Though I distinguish between HIDS and NIDS the differencebecomes smaller and smaller as in the meanwhile HIDS, too, have the basic functionality of NIDS. Known ID Systems like ISS RealSecure call themselves not only NIDS but "host-based and network-based IDS". In the future, the difference between both systems will become even less clear (so that both systems "grow together" more and more). Sensors are often placed outside the external firewall as shown in the diagram. The reason for this is that NETWORK NODE ].NTRUSION DETECTION (NNIDS) the sensor can receive and analyze the whole traffic from the internet. If you place the sensor here it is Basically, this new type (NNIDS) works like typical not ensured that really all attacks are filtered and NIDS, i.e., you take packets from network traffic and detected, e.g., TCP attacks. In this case, you would analyze them. But it only concerns packets which are try to detect the attack by using so called signatures addressed to the network node (this is where the (more about this in the part about signatures). name comes from). Another difference between NNIDS Nevertheless, this placement is preferred by many and NIDS is that NIDS run in promiscuous mode experts because there is the advantage to log and while NNIDS does not run in promiscuous mode. As analyze the attacks (to the firewall...), thereby, the not every packet is analyzed the performance of the admin can see where he should change the firewall system will not suffer to much, such systems run very configuration. fast as a rule.
Sensors placed outside the firewall serve as attack APPLICATION BASED ~_NTRUSION DETECTION detection (different to placing in within the firewall!). If your sensors should detect these attacks you Application Based IDS’s are a subgroup of host-based should put them outside the firewall... IDS but I mention them here separately. It monitors the interaction between user and program whereby Outside and within the firewall mainly additional log files are created to provide information about the activities. As you operate Actually, this variant connects both previously directly between user and program you can very mentioned variants. But, the danger is that you easily "filter" conspicuous behaviour. You can configure the sensors and/or the firewall wrongly, i.e., visualize an ABIDS as in the following diagram: you cannot simply add the advantages of both variants to this variant. These are not the only possibilities to placing sensors, you can, of course, place them somewhere else but the above mentioned places are. the most commonly used. .
Advantages: o the sensors can be secured well as they "only" observe traffic o you can detect scans better - on the basis of ...... signatures,., you can "filter" traffic (actually, we will show later that this is not always the case) Advantages:
Disadvantages: you work at unencrypted level, in opposition to, o the probability of so called false negatives (attacks e.g., Network Based IDS, whereby analysis is more are not detected as attacks) is high as it is difficult feasible to control the whole network you can detect and prevent conspicuous ° mostly, they have to operate on encrypted packets commands which the user wants to use on/with where analysis of packets is complicated the program o as a difference to host-based IDS they do not see
AUUGN Vol.24 ~ No.2 - 27 - June 2003 Disadvantages: concerned...?) Reaction: the (counter) action, o no security and few possibilities to detect, e.g., detection alone does not serve anything if you do not Trojan horses (as you do not act in kernel space) take steps against it. Padded Cell Systems offers o the log files created by this kind of IDS are easy special possibilities which concern counteractive attack targets for "attackers" and not so secure measures. So, reaction implies what you do / the IDS like, e.g., operating system audit trails does when you react to an attack.
STACK BASED INTRUSION DETECTION Later, we will clarify the different response options of IDS again... In addition, honeypots can be classified in two bigger categories, research and production Also a new kind of IDS is the so called Stack Based honeypots. Production honeypots are to help lessen Intrusion Detection System (SBIDS). But potential risks in a network while research honeypots momentarily, I do not have enough information which serve to collect and inquire information about the would allow me to brief you about this type of IDS. In attackers. a future version of this paper the description will certainly follow... Prevention: Honeypots are surely not the most appropriate systems to avert attacks. As you will see later at Padded Cell Systems, a wrong programmed and The word Honeypot is used in a lot of different wrong configured honeypot can even facilitate attacks contexts. To avoid confusion I will stick to the whereby this covers the whole subject of IDS. definition from the SANS Institute’s Intrusion Deception FAQ: "Honeypots are programs that Detection: simulate one or more network services that you Seemingly, that is the biggest advantage of honeypots designate on your computer’s ports. An attacker as they can be excellent in detecting attacks. In this assumes you’re running vulnerable services that can context, they can above all analyze and interpret be used to break into the machine. A honeypot can system logs. The placement of the honeypot plays a be used to log access attempts to those ports decisive role, an admin can only benefit by honeypots including the attacker’s keystrokes. This could give f the are configured and placed properly. Often, they you advanced warning of a more concerted attack". are placed between important servers to detect In some cases, a honeypot is simply a "box". From eventual scans of the whole network or in the the outside it appears vulnerable, while it logs traffic proximity of one important server to detect illegal and also analyzes it. Thus, because honeypots access with the help of port redirection (e.g., f appear vulnerable and no connections should be someone tries to access the server at certain ports he created every connection to the honeypot is seen as will be redirected to the honeypot, as this access suspicious should not be allowed there should be a warning).
Reaction: Internet In the part about Responses (read beneath), you can see which possibilities a honeypot has to react on events. When using/creating a honeypot you should ext. Firewall keep in mind that the host should look most attractive to an attacker, i.e., it should not be too difficult to attack the host. Basically, there should be Honeypot " ~l <--- in DMZ :_f=ii.~__ .... few changes from the default configuration as too many changes only seem conspicuous. Nevertheless, you should not forget the actual idea, i.e., control ~int.~Firewall ~ traffic, log activities .... One approach of which I have heard several times is to place the honeypot in its own subnet behind a firewall. This has normally So, the internal network does not have to be exposed alarm capabilities and so can display warnings. As because a honeypot is normally placed in the DMZ logs are sought-after targets of attackers you should (DeMilitarized Zone). The major task of a honeypot not log them on the host itself but send it to another consists mostly in analyzing traffic, e.g., when certain server. Sometimes, sniffers are used to search traffic processes were started, which files were changed .... for certain signs and "log" traffic. If you collected so that you can create a quite good profile of potential enough information you should analyze the logs and attackers. look for weaknesses of the network, respectively rectify them. Because of the amount of information it But not all honeypots are alike so you can distinguish should be easier to close security holes and take between three "variants" which enhance security of action against attackers. But you should consider the system in different ways: that honeypots are not completely legal, respectively you should be attentive when using honeypots. The Prevention: prevent an attack detection: notify that problem is that a honeypot can be interpreted as an there was an attack (possibly a localization of the "invitation to attack" and if you realize that the host attacker, ~vhat kind of attack, which services are was attacked (and you do not initiate counteractive
AUUGN Vol.24 o No.2 - 28 - June 2003 measures) that could be interpreted additionally as an Such circumstances are still abused these days, act of gross negligence. Some judiciary e.g., if there is a mutual trust between two hosts, argumentation against honeypots sound banal but i.e., the user of one host can log in another you should check the law at your place. If someone without password (or else). If an attacker attacks another network from your network and accomplishes a comparable effect with his attack it creates damage you will (probably) pay for it for is sometimes very difficult to discover such already mentioned reasons. "abused" mutual trust.
Further inquiries found that the application of 2) Integrity honeypots is, e.g., in Europe is no problem (if you find If the user changes important configuration and a law which contradicts this, write to me, please. My system files, replaces existing binaries by his search did not find such a law...). own... Often, existing binaries (like, e.g., /bin/login) are replaced by own binaries. There, PADDED CELL SYSTEMS the respective user only has to give a fixed password (in the source) and gets (mostly) root privileges. Such attacks serve to expand ones own These systems normally work together with one of the privileges, e.g., by means of installing a login other systems. If the used IDS notifies about an backdoor. In fact, there are tools like Tripwire but attack the respective attacker is forwarded to a not everyone uses it. In addition, there are often "padded cell host". As soon as they are in this devastating errors in configuration and use which padded cell host they cannot make any damage as the make Tripwire an extra risk in such cases. whole environment is simulated, a "bogus" environment. It is important that this environment is 3) Availability as realistically presented as possible, respectively the By this, the reachability of the system is affected. attacker has to think that the attack was successful This could cause the ban of certain users to log in (sort of). There is a possibility to log, analyze and at all or that you can only log in at certain times... follow every activity of the attacker. The problem with The aim is mostly to work "undisturbed" and using padded cell systems is that it is possible that it cannot be discovered by any user. is illegal to employ them in a particular country (as eventually such counter activities of the IDS can be 4) Control seen as "attack", though they are only meant to E.g, ff the attack is for the purpose of "overtaking" collect information about the real attacker). the system that has control over files, programs... When this happens, you should consider that the Advantages: attacker gets also all other previously listed o once in a padded cell host, attackers cannot do options. If he has total control over the system he any more damage as it is only a "bogus" can change, restrict.., what he vvants. environment o the admin can follow/log the activities of the Before I get to the different types of attack (DOS, attacker directly to get more information about the DDoS, Scans .... ) I will make just a little excursion to attack and the target of the attack and so is able the world of Integrity Checkers. Tools like Tripwire to initiate counteractive measures more easily are part of host based IDS, the issue of an Integrity Checker is to check the integrity of diverse fries and Disadvantages: start an alarm if you detect changes on a file. o eventually, usage of padded cell systems is not legal (the same as honeypots, in Europe this 1) Creation of a database should be no problem) The first step after the installation of an Integrity ¯ the implementation of such a system is very Checker like Tripwire is the creation of a database. difficult and requires some knowledge as the whole This step should (must) be made in a situation at environment has to be simulated correctly. If the which the condition of the system is not admin makes a little mistake somewhere this compromised. If you create the database at a later system could by all means open additional time (and maybe the attacker has replaced the security holes existing binaries) the use of an Integrity Checker would not work as it should. In such a case, the ~]~YPES OF ATTACK replaced binaries would be considered as "originals" and ff the admin replaces these binaries Before you develop or use an IDS you should specify by the actual "originals", an alarm would be the potential dangers, also which attacks you expect. started. Most of the tools offer extensive Despite the different possibilities attacks and their possibilities to specify files/directories of which target can be defined in four categories: you want to create checksums. We simply generate a fingerprint of the system. (Tripwire 1) Confidentiality calls this Database Initialization Mode) The consequences of the attack are that the mutual trust to a certain user changed (mostly to 2) Check of Integrity his favor ;), e.g., that you do not have to After the admin has a database (the fingerprint) of authenticate anymore for a certain program... the system he can check his system when he
AUUGN Vol.24 o No.2 - 29 - June 2003 wants to. This is done simply by comparing the replaced. If this is the case, execution is checksums in the database with the currently prohibited. available files on the disk, Tripwire offers more possibilities. Simply read the manpage for This concept is only one possible for realtime integrity Tripwire or associated documentation. checkers (at least I arranged this concept for me). As a difference to integrity checkers you do not rely on Those two steps are actually found in most Integrity the admin checking files regularly, you try to check Checkers. Tripwire offers the possibility to update the the correctness of the binary before execution and not database (when having installed new tools...) or to let it execute if necessary... update the policy file, test the email notification system... Besides the above mentioned categories (integrity, control .... ) attacks can be differentiated otherwise, of Which errors can be made when using Integrity course, e.g., how to attack, respectively with what Checkers ? means. Also, here are naturally many possibilities, but the most common attacks against IDSs are: The first and grossest error an admin can commit is to create an MD5 hashsum database when existing Scans binaries have been replaced by an attacker already. If These days, scans are the common "attacks", the an admin assumes that an attack was successful and problem here is that the IDS should not produce afterwards creates the hashsum database of this too many false positives. Mostly, scans serve to "compromised" system, the binary, replaced by the get (further) information about a host/network attacker (e.g., login backdoor), would be considered as (e.g., to start subsequent attacks). What the "real" binary. You should create the database as information an attacker can get about your own soon as possible after installation. One other big network you can see with the following scan result error when using Integrity Checkers (like, e.g., (nmap - only a small example which does not at all Tripwire) is to leave the hashsum database on hard show all possibilities of nmap): disk. On first sight, it seems absolutely normal to leave the database on hard disk but if you have to ~ leave it there you should at least make sure that the Host (192 ~ 168 ~ 0,0) AUUGN Vol.24 o No.2 - 30 - June 2003 ~ 4500 0028 0000 4000 ff06:7dcdTf00 0001 7f00 000i 0050 e5651 069~ ~525’ 0~000 0000 5004 0000 a070 0000 .~ ~ Using many of the most different, scan techniques o2:10 : 16.114704 Diablo. 1727 > Diabl0. 821i S. 196002918:196002918 (0) ~ ~ ..... together result in a mass of information which allows win 32767 : Nmap parameter: -sP TCP Scanning (Vanilla) : UDP scanning: With TCP scanning you (mostly) try to connect() on The intention of UDP scans are analog to TCP all ports after you did the three-way-handshake, scans as you want to find out open UDP ports. A i.e., you made a connection to the ports (the scan runs differently as UDP is a connectionless connections to the ports were successful) the reply protocol (TCP is connection-oriented). UDP value of connect() is checked. For the attacker the scanning "uses" ICMP, ff you send to the actual reply value informs ff the used port (or the ports) is ports a 0 byte UDP packet to wait for an ICMP open or closed. The aim of a TCP scan is to find "answer". If there is a notify that the port is out if ports are open/closed. unreachable ("Port unreachable"/code value 3) this means that the port is closed. If the respective Nmap parameter: -sT admin, e.g., in his /etc/inetd.conf, deactivated certain services and you try to send a packet to The following nmap output is of one of my hosts, the respective port this would result in the error directly after a default installation. I deliberately message "Port Unreachable"... made no changes (in the configuration) Nmap parameter: -s lll/udp . oPen " sunrpc ¯ : ! l!/:5cp Open i sUnrpc Nmap run completed-- 1 IP address: :(.~::liost Up) ll3/tcp open : auth : ’ scanned in 4 seconds 6000/tcp open X!I.~ : :~ :i:: Nmap run .complehed ~ 1 ip.a~d£~!iiii: h0st up) The associated tcpdump trace: scanned i~l 1 second 10:41:55.954397 Diablo > Diablo: icmp: echo request A part of a tcpdump trace (of this scan): 4500 001c cc8f 0000 2801 c84f7f00 0001 -7f00 0001 0800 8471 738e 0000 10:41:55.954397.Diablo > Diablo: icmp:-emho reply 02 : I0 : 15 ~ 804704 Diablo.... > Diablo: icmp: echo request 4500 001c:.2db8 0000 3501 5a27 7f00 0001 (DE) ~ ~ 4500 001c 00.00 4000 ff01 7dde 7f00 0001 7f00 0001 i0~00 fc~5 I~b 0 0 0 0 7f00 0001 0000.8c71 738e 0000 02 : I0 :i5. 814704 Diabl0 > .Diablo: icmp: echo reply 10:41:55.964397 Diablo.63793 > Diablo.http: . ack (DF) " 994287972 win 2048 4500 001c ooo0 4000 fZ01 7dde 7:[00 0001 4500 0028 79e3 0000 2506 Ideb 7f00 0001 Vf00 0001 0000 0496 f~69 0000 7f00 0001 f931 0050 06d8 0003 3b43 a164 02:10:15.814704 Diablo.58725 > Diablo.http . ack 5010 0800 cccd 0000 110306597 win 3072 ’ 10:41:55.964397 Diablo.http > Diablo.63793: R 4500 0028 d223 0000 2a06 c0aa: 7f:00 0001 994287972:994287972(0) 7f00 0001 e565 0050 ad48 0003 0693 2525 win 0 (DF) 5010 0c00 e718 .0000 .... 4500 0028 0000 4000 ff06 7dcd 7f00 0001 02:10:15.814704 Diab!o,http > Diab!o.58725: R 7f00 0001 0050 f931 3b43 a164 0000 0000 110306597:1103065197 (0) 5004 0000 dbb4 0000 win 0 (DF) 10:41:56.274397 Diablo.63773 > Diablo.15: udp 0 AUUGN Vol.24 ~ No.2 - 31 - June 2003 4500 001c 8a0b 0000 3011 02c4 7f00 0001 4500 0028 0000 4000 ff06 7dcd 7f00 0001 7f00 .0001 f91d 000f 00018 08af 7f00 0001 000e Cf6b 9:279 :bd48 0Q00 0000 10 :411:56.274399 Diablo > Diabl0: icmp: Diablo udp 5004 00001 9362 0000 : : ~- port 15 .... i0:45: 52. 164397 Diablo. 53099 > D±abi0. imap3~ i’ ack unreaqhab~e (DF)[tos 0xc0] ¯ 2457~51592 iwin 3072 1:.: : 45C0 ~0038 0000~4000 ffoi 7d02 7fO0 0001 ~506~00hS~ ~07-5~0000 3206~e658 ~00 0001 VfO0 ~i000i 0305 fbl8 00~0 0000.4500 O01c 7~00 oooi �~b:(06~ 393’8: 47~0:~2~79 b~48 8a~ob 0000 BOll 02c~ 7fO0 5010 OCO0 e67f :0000 f91d O00f ...... i0:~!:56~i274397 Diab10iG3:7~3 ~ Diabl 0 ] 0il~59:-~udp Stealth scanning (NULL, XMAS, FIN, SYN .... ): 111~ 4500: 001c 6c2f 0000 30ii:I ~ O a 0 7fO0 000i:i i: ..... 7f00 0001 f91d 05b3 0008 [030b With stealth scanning you "abuse" the three-way- 10:41!516~274397 Diab~o’:> Diablo: icmp: Diablo udp handshake. I present the three-way-handshake shortly: unreachable (DF)[t0Sl 0xc0] I I I : 45 C 0 0038:0100Z 4000 ff01’7C02 7f00 0001 ~00 0100i 030~ ~bl~ ooOooooo 4500 001c ¯Host B: I Another variant of a UDP scan (UDPrecvfrom0 and write() scan) consists in scanning every port twice. The just now mentioned method uses ICMP with "Port Unreachable", but only root receives this message. If you scan a closed port twice you get, after the second scan: "Error 13 :Try Again"... The problem of TCP scans is that they are very ACK scanning: conspicuous (as every time it does a three-way- With sending an ACK packet to a port of a firewall handshake). With stealth scanning the following you find out which ports are filtered and which are happens instead: not. If you receive an RST answer it means that the referring port is "unguarded", respectively is not filtered, else you get an !CMP error message. So, you do not find out which ports are open but you get more precise information about the firewall (and its configuration). Nmap parameter ¯ -sA This diagram seems to look like the three-way- handshake but with a basic difference: The shown diagram would have no connection between A and B, respectively Host B would think the connection exists, though the connection doesn’t exist until A sends a further ACK to B (it is also called a "half-open" port...) ¯ The above shown SYN scan implies that the port of the target host is open (because of the ACK/SYN), ff it were closed you would receive a RST/ACK back. The tcpdump trace: Nmap parameter ¯ -sS i0:45:51,864397 Diablo > Diabl0: icmp~ echo request 4500 001c 1617 0000 3901 6d~8 7f00 o001 [Socma] $ hmap -sS lOCalhoSt . 7fO0::O001 0800 llBd e6c2 Io0"o0~ ~’ : ~ " " W~’insecure. orginmapi ) Interesting ports on :Diablo (127,0~0 AUUGN Vol.24 o No.2 - 32 - June 2003 4500 001c 0000 4000 ff01 7dde 7f00 0001 7f00 0001 00e9 cbd5:0000 0000 0000.::0001 7f00 0001 0000 aia9 5e56 I ’ ~0 ’0 0~ ~ ~ ..... 5014 O000::e50e 0000 ¯ i0:47:41.674397 Diabio.58038 > Diablo,httpi~(,iIaCkl 1561498752 win 3072 ¯ 4500 z0028 ale5 0000 3206 daeSi7f00 0001 ~ NULL and XMAS scans are of special interest (above 7fO0 O001:e2b6 0050 82bOiOOO~:5d:2:9480 all with practical implementation of protocol anomaly 5oio ocoo 4:e85 ooo:0 :: : ~ detection). It is called XMAS scan because all flags 10:47:41.674397:Diab!o.htffp > Diab10.58038: R 156~498752 i i5~i9~752 (0)~ :: are set: SYN, ACK, FIN, URG, PUSH. As with FIN ¯ ~n 0 (~) ~ ~ ~ : Y~ ~ ~I ~ scanning you send back RST if the port is closed. 4500 0028 0000 4000~ff06 7dcd ~f00 0001 " ~ ~f00 000i~0050Z ~266 5d12 ~9480 0000 Z0000 Nmap parameter ¯ -sX I0:47:4i,98~39~ Diablo.58018 > Diablo:l~88::::S . 7f00 000i e2a2 05d0 a7ia 8d~j :0000 0000 .: s0.02 0e0o~sse~ 0000 ,. , i0~7:41:98439 Diab~O’1488::~ Diablo:58018: R 45oo 0o2~ 00~o 400.0 :~0 o o0o ~: :: Now, o~er scans join the g~e: FIN scanning, NULL scan~ng ~d ~S scan~ng. FIN scan~ng o~y sends a FIN message to the "target host", though no connection e~sts be~een them. At a closed po~ RST is sent back, else nothing happens. Tcpdump trace: Nmap parameter : -sF [accruals nmap ~.sF localhosb .: : s~.arhin9 nniaplv: :2~;54NETA:36 :(: . - Integesgi~9 pQgts on Di~blO (i2,7 ~0~0 ~The 1552::p~S: scahn~d~Jbu:~, no£:shown bel.0w are in State :: ,�lb~d).j: :".:=~: :; : : : . ~ l!3!tcp open aUth ~ ..... : 600’0/tcp open. Xil . . ’.::::,:::-:. " Nmap run completed-- i IP address (Z-hOs:t~::::~p) scanned¯ in 6 ’ se:co~ds Tcpdump trace: i0:48:28.70439.7 Diablo > ~Diablo: icmp: echo request 4500 001c b29d 0000 3401 :d641 7f00 0001 7f00 0001 0800 ala7 5658¯ 0000 10:48:28.704397 Diablo > Diablo: icmp: echo reply (DF) 4500 001c 0000 4000 ff01 7dde 7f00 0001 7f00 0001 0000 a9a7 5658 0000 10:48:28.704397 Diabloo52201 > Diablo.http: . ack The other possibility, called NULL scan, means that 2873378189 win 4096 no flag is set, ff the port is closed an RST is sent 4500 0028 cbeb 0000 2b06 c5e2 7f00 0001 back.] 7f00 0001 cbe9 0050 9020 0003 ab44 458d 5010 i000 54a3 0000 10:48:28.704397 Diablo.http > Diablo.52201: R Nmap parameter ¯ -sN 2873378189:2873378189(0) win~ 0 .(DF) [Social $ nmap -aN localhost. 4500.0028 0000 ~000 ff06 7dcd 7f00 0001 7f00 0001 0050 cbe9 ab44 458d 0000 0000 Starting nmap:V. 2.54BETA36:! ( 5004 0000 f4d2 0000 www.insecu:e.org/nmap! )!i ::i:. " 10:48:29.004397 Diablo.52181 > Diablo.233: F 0!0(0) win 4096 (,~he is52.p~gS scanned bu:t::not shown below are in 4500 0028 i0c6 0000 2b06 8108 7f00 0001 state: clo~ed) ..... ~ 7f00 0001 cbd5 00e9 0000 0000 0000 0000 Port State service 5001 I000 d522 0000 21/tcp open ftp 10:48:29.004397 Diablo.233 > Diablo.52181: R 23/tcp open telnet 0:0(0) ack i win 0 (DF) 80/tcp open http 4500 0028 0000 4000 ff06 7dcd 7f00 0001 lll/tcp open sunrpc AUUGN Vol.24 - No.2 - 33 - June 2003 ll3/tcp ~ iopen:~ auth 6000/bcp ~open- XII Fragmented packets: Nmip run completed ~-1 IP address (i host up) This method uses the fragmentation of an IP scanned in 5 seconds packet by TCP. Normally, fragmentation occurs when the datagrams are bigger than the possible Tcpdump trace: size, this size limitation is called MTU (Maximum Transmission Unit). Fragmented datagrams are 10:43:37.594397 Diablo > Diablo: icmp: echo request put together at the end of a node. This behaviour "4500~001c 2ecf 0000 2c01~6210 7f00 0001 7f00 0001 0800 8f87 6878 0000 can be abused. Not every IDS/firewall works with 10:43:37.594397 Diablo > Diablo: icmp: echo reply fragmentation, i.e., there are sometimes errors (DF.) ...... with fragmented packets. Instead of sending our 4500 O01c 0000 4000 ffOX 7dde;7f:O0.000:l: packet, normally, we subdivide it (in fragments). 7.riO0 0001 0000 9787 6878 0000 ..... i0:43:37.604397 .D±ablo.34607 > Diablo;http: o ack These contain "common" data like source IP, 1932747o46-~wln4o~6- destination IP, source port... Now, it is possible 4500’ 0028 ee0~ 0000 i@b6 ~.Tbe :7fO0 0001 that the running firewall/IDS has problems with 7f00 0001 872f 0050 5b20 0003 7333 6126 5010 I000 cad5 0000 putting together fragments. These problems can lO:43:37.604397D~ablo;http > Diablo.34607: R manifest themselves in different ways, either it i~321747046:19327.47046(0) comes to a crash of the whole system or the packet ::450.000280000 4000 ff06 7dcd 7f00 0001 goes through. Our packet could possibly get woO 0001~i00:50 8~2~ 73336126 0000 0000 through because the putting together was " .5004:00005605 0000 erroneous and the packet was falsely specified -10:.43:37.904397 Diab~o.34587,> Di~ablo.408~ ~ win. "harmless". Sometimes, not all fragments are checked properly, i.e., only a certain fragment is 2f00:0001 871b 0198.’0000:0000 000!0i 010i06~ checked so that our packet gets through again. With this technique you can scan less conspicuous as the traffic could be marked "harmless" and would not start an alarm. On the other hand this theory depends on the IDS (firewall) having problems with processing and putting together fragments. You do not need the complete three-way-handshake, thus, stealth scanning (like that mentioned) is less Reverse Ident Scanning: conspicuous than TCP scanning. IDS should detect First, a section from RFC 1413, the RFC for those abnormalities in all cases (XMAS and NULL)... Identification Protocol: "The Identification Protocol (a.k.a., "ident", a.k.a., "the Ident Protocol") FTP bounce: provides a means to determine the identity of a With some ftpds the PORT command can be user of a particular TCP connection. Given a TCP abused to establish an arbitrary connection from port number pair, it returns a character string the ftp server to another machine. But first, a which identifies the owner of that connection on little overview how this "normally" happens. First, the server’s system." Reverse Ident Scanning uses the client makes a connection to the ftp server identd to ask for the owner of the running process. (port 21), the ftp server "creates" a second This technique serves above all to find daemons connection back to the client (to be able to send which run as root in order to attack precisely back data). For this second connection you use these daemons. the PORT command. The interesting thing here is that the command contains the IP and the port (which is to be opened) of the client. Subsequently, the server creates a connection, where source port 20 and the destination port are the port.s specified by the PORT command. The Here Dumb Host should have as little traffic as point of attack is the PORT command with which possible. The reason for this will be more clear in the you can manipulate the port of the (supposed) end. Why is Dumb Host used, why do we need one at client to connect to the victim instead of our host. all? Ok, this question leads to the actual attack and After the IP and port were manipulated you can with this also to the explanation why a dumb host is initialize the actual traffic by "list" or "get".. Now, necessary. In order that you can find out if a port of you check the answer of ftp, because if we get a "TARGET" is open or closed you should examine the "425: Can’t build data connection: Connection IP ID field of Dumb Host. For this, Dumb Host is sent refused" this specified port is closed. If we receive a packet (echo request) and with its reply you can "150 : File status okay about to open data read the ID field, respectively the value of the ID field. connection" or "226: Closing data connection. Subsequently, you can send TARGET a packet where Requested file action successful (for example, file the source address is that of Dumb Host. The answer transfer or file abort)" instead as an answer we of TARGET is then received by our dumb host. If he know that the specified port is open. receives a SYN/ACK of TARGET it means that the port is open. As an answer our dumb host will then Nmap parameter: -b send a packet were RST is flagged. If the dumb host receives a RST/ACK of the target machine it sends no AUUGN Vol.24 o No.2 - 34 - June 2003 answer to TARGET. To find out which answer Dumb supported, others are. Thus, the used operating Host got from TARGET we send Dumb Host another system can be specified more exactly. ping. If the port of the target was open and sent back RST the IP ID field of Dumb Host will be incremented, Nmap parameter : -O with port closed and nothing happens. By reading the new IP ID value of Dumb Host you can detect if There are many teste not discussed here but there are the ports were open or closed. Now, it is hopefully enough documents on the net about fingerprint OS clearer why we use a dumb host, i.e., a host with little detection. Fyodor (NMAP) has written a small paper traffic. If there is too much traffic on the host it about this. This part should only give a small would be more difficult to specify which ports are overview about widespread scan techniques. For open (at TARGET), the probability of getting it wrong someone who works with protocol anomaly detection would be higher at higher traffic. there were surely several starting points (certain flag combinations which you have to consider as Fingerprint OS detection: anormal...). Fingerprint OS detection aims to detect the operating on the server. Most new scanners deliver not only, Other ICMP related stuff e.g., "Linux" or "Solaria" for an answer but a specification of versions (of the particular operating Aside from the mentioned echo reply/request ICMP system). For this, you make a "fingerprint" (profile) of supports further message types with which you can the operating system. These days, you cannot trust collect further information about the network (so- banners of telnet, ftp (see above) as they can be called NON - ECHO - REQUESTS): changed and manipulated. If the attacker finds out the exact version of the target host he can build ICMP Time Stamp Request / Reply (RFC 792): scripts, exploits .... for it and continue with his The actual meaning of Time Stamp Requests (type attack. This technique exploits the fact that 13) is to get the time settings of a remote system. operating systems differ in small details (what an If the remote host receives a Time Stamp Request insight ;). As there are a lot of documents on this it sends back a Time Stamp Reply (type 14). First, technique I will only give a short overview over the the structure of a time stamp (relative to RFC): most important test possibilities: FIN test: If a host receives a FIN packet at an open port it should rather not answer (RFC 793) but there are also exceptions, e.g., with MS Windows, BSDI,. CISCO, MPS ....which send a RESET for an answer. ACK sequential numbers: When sending FIN I PSH I URG to a closed port the sequential number of the ACK packet is set to the own Before I get to the use of a Time Stamp Request for an sequential number mostly. But here also Windows attacker I tell you some basics about the time stamp. makes an exception ;). Windows sends back the For us, only the last three "fields" are of importance. own sequential number + 1 ... Here, the respective section in the RFC: BOGUS flag test: If an undefined TCP Flag is used !~e~0~iginate Timestamp is :g~@ ~e ~the Sende in the TCP header (in a SYN packet), Linux hosts < 1~£~ ~clied the m~ge bef~ ~nding it, the 2.0.35 adopt these flag settings. Other OSs reset Ra~i~a Timestam~;~; ~g %iaa £ha[ach0er first when receiving a S~+BOGUS packet... Ti~stamp :is: :th~ iast tb%~d the message :on ~:s~:d{~ i’b~t" ~ ~[~ " TCP initial window: Most operating systems use (almost) constant window sizes (of the reply As said in the RFC the sent back timestamp is the packets). E.g., AIX delivers 0x3F25, MS NT5, count of milliseconds since midnight UT (GMT). OpenBSD and FreeBSD use 0x402E .... Of what use is a time stamp request/reply for us? Don’t fragment bit test: Some operating systems differ in setting this bit in some packets or not. If you are sent back a time stamp reply you would Thus, you can additionally differentiate which OS know that the host is reachable and on the other is available... hand, with the Originate Stamp and the Receive Stamp you can estimate the load of the network (the TCP options test: The basis of this test is simply difference is, of course, dependant on cables used, told: You send an inquiry to the particular host, cards .... ). set diverse options and look at the answer if there are also these options set. Those options At last, a tcpdump trace: contained in the answer are supported... As the 11:38:37.898253 Diablo > Diablo: icmp: time stamp case may be with the operating system (and query id 53763 seq 64548 version) certain options are in principal not (ttl 254, id 13170, len 40) AUUGN Vol.24 ~ No.2 - 35 - June 2003 4500 0028 3372 0000 fe01 8b60 7f00 0001 4500 001c 3372 0000 ff01 8a6c 7f00 0001 7f00 0001 .0d00 61fb d203 fc24~ 0211 c0ca 7f00 0001 0f00 19fc d~03 0100 ’ ~. 0000 0000 0000 0000 ~ : , 11~:38:37.898253 Diablo > Diablo: icmp: time stamp ICMP Address Mask Request / Reply (RFC 950): The reply id 53763~ seq 64548 : Address Mask Request (type 17) has been described org 0x21i:C:0Oa .~ec~v 10x211c0Oa.xmit ~0x2ilc0ca (DF) in another RFC, for more information look at RFC950 (ttl i i ii~! . 4500 0028 ~0000 4000 ff01 7dd2 7f00 0001 and not in RFC792. The meaning and use of an 7foo, 0001.0eO0db43 d203 o24 021 c0ca Address Mask Request is to get the subnetmask of a i 021i c0ca 0211 Ci0Ca ..... connected network. If a gateway receives such a request it should send back relevant information to ICMP Information Request / Reply (RFC 792): "This the respective node (Address Mask Reply - type 18) message may be sent with the source network in the IP header source and destination address fields zero (which means "this" network). The replying IP module should send the reply with the addresses fully specified. This message is a way for,, a host to find out the number of the network it is on. So, an Information Request (type 15) has the meaning to get the network number of the host which sent the With this, you can not only discover hosts in the request. network (which are online) but also get to know about the network configuration with further tests... ,,~he~ address~ 6f the source in an information. Tcpdump trace: ~ information r~pl~ ~eSSase~ ,, Diabl@ > Diablb!~mp: address mask W~th an [~o~adon Reply (~e i~) you take the source IP of the I~o~ation Reques[ as destination of the reply (simply put you send the reply to the host which requested the i~o~adon). As source I hope, this section showed you that you have more of the reply you t~e the destination IP of the possibilities to get information about a network and request... that it does not always have to be the "normal" ping... In the respective RFCs are mostly such hints which describe what you should consider ff you want to Normally, the situation is that the sender of an "support" the different types of request... Developers Information Request sets 0 as destination address of ("real") IDSs should also consider such issues. If (which means "this network"). But there is also the they should be supported you should consider that it possibility to set destination and source IP to 0 (when works (read RFCs). But even this is not the end as sending the request). In this case, the Information you can read in the next section... Reply would receive the network number of the host in the source and the destination address field, i.e., f Even more information about the target: The use of the source address field in the request does not equal packet filters (or more common: firewalls) is surely 0 the network number of the host would only be sent not very special, these days. Also the use of so called back in the source IP field of the reply. firewall modules in IDSs can be found more and more often. Often, an attacker does not have the possibilities to use some of the discussed scans as they are blocked, filtered... The aim of this small section is to show possibilities with which you can work out some of the filter/firewall rules of the target. It seems that you could only send an information request within the network (see above) but that does The principle of this idea is quite simple as you try to not have to be. Some operating systems also answer provoke ICMP error messages, respectively send an information request where the destination IP is not "illegal" packets from which you can draw conclusions in the same network. In such an information reply about the set of rules. we would receive the IP of the host (and not the "If the gateway or host p~ocessing a datagram network number). finds a problem with thekilheader parameters such that it cann0t complete p~ocessing the datagram At the end, again a short tcpdump trace: it must discard the datagmam. One potential source of such a problem i~@ with incorrect arguments in an option. ~he. gateway or host may 11:42:35.608253 Diablo > Diablo: icmp: information also nOtifythe source host via the parameter request (ttl 255, problem message. This message is only sent if id 13170, len 28) 4500 001c 3372 0000 ff01 8a6c 7f00 0001 the error caused the data~ram to be discarded." 7f00 0001 0f00 lafc d603 0000 11:42:36.608253 Diablo > Diablo: icmp: information This section is from RFC 792 and is part of the request (ttl 255, description of the so called parameter problem (type id 13170, fen 28) AUUGN Vol.24 o No.2 - 36 - June 2003 12). As you can see in this section a reason for the both results you can make conclusions on possible message "Parameter Problem" can be a false IP filter rules, last and not least you get a wide header, i.e., if we would send a packet with a false IP representation of what is allowed and what not. header to a host we should actually get back this Further possibilities could be to vary used protocols error message. This error message has one additional (TCP, UDP .... ) so that you could find out further advantage as support of this error message is rules. There would be, e.g., the possibility that a "recommended" in RFC 1122: certain protocol is blocked/filtered. host SHOULDgenerate~Parameter!Problem I think the abstract on the Parameter Problem is now clear so that we can go on looking at further error MAY be reported t:6 the ~US~9~i! i ~ messages. The following section is again taken from RFC 1812 and describes what Destination Unreachable error is and what can be the reason for this error: s0me,ii!10~a!091!iremote On the whole, this gives a very good possibility to detect hosts in a network (for the mentioned reasons). Additionally, I refer to RFC 1812: ..... ~3 ~,3~5 Pa~araeter :Pr0D em i Nevertheless, different routers interpret this section (and also others) differently, for which reason it is not clear that a Parameter Problem is generated. An IDS (respectively firewalls) should check fields in the IP header anyway as it can happen at times that you receive a packet with a false header, but this should happen rarely. An attacker who scans a whole network with this method (or any specified IP range) knows that the firewall/packet filter.., does not block, filter this error message. But if you do not get a Parameter Problem you know at least that this message is blocked. This method to find out the set of rules is only the first step (the method is above all an alternative to a "normal" ping). To get an as exact as possible access control list (ACL) of possible filtering/firewall software we should get further information of the topology. To do this, you could, e.g., send the different ICMP message types to single hosts (with false IP header) and wait for a notification of a Parameter Problem. If 7 = DestinationHost: Unknown - generated only when there is a notification of a Parameter Problem on host a router candetermine (from link layer advice) that the destination hostdoes not exist; "X" this means for us that the host.does not filter this ICMP message type (and the respective host is ii = Network Unreachable For Type Of Service - reachable). Additionally, this means for us that the generated by a router if a forwarding path (route) to the destination network with the erroneous information in the IP header is not requested or default TOS is not available; checked. If we get no Parameter Problem we can also make several conclusions. On the one hand, it would 12 = Host UnreaChable For Type Of Service - be possible that a filter filters/blocks the ICMP generated if a roUter cannot forward a packet because its route(s) to the destination do not message type and on the other hand it is possible match either the TOS requested in the datagram that the router checks the header and does not let or the default TOS (0) ." forward this anormality, etc.. As you can see, with AUUGN Vol.24 ~ No.2 - 37 - June 2003 ipcv 71 IPCV # Internet. Packet Icore Utility If we now, e.g., try to send a packet to any port which cpnx 72 CPNX # Cbmpute~ pr0tocOi ~ehw0~k uses a protocol that does not exist, there should EXecUtiVe . ¯ " cphb. 73 CPHB # Computer PrOtOCOl Heart Beat~ actually be a notification about a Destination wan 74[ WSN:. # Wang Span NetWork ...... pvp 75 PVP # p~cKe~ Video Protocol Unreachable with code value 2 (Protocol br’sat-mon ~ 76: ~ B~SAT:MON. ~ @~ B~Ckro0m SATNET : Monitoring ~ . :~, ~ ) .~ Unreachable). Further, with this example you should suhlnd 77 S~,ND # S~ ND :PROTQCOD:TemP0rary know first which protocols are "admitted". This, you wS~h~n 78 WB~MON: ~ ...... # WiDEB~D Monitoring:, : wb/iXpak ~:~ WIDEB~DEX~AK ):: ~ can find out when you look at your /etc/protocols. i~o-ip s0 "- 79~ zs0-z~ : : i~ExPAK ...... ¯ v~gp 8 ~TP ~ vo~satil~ M@~aS~Transport After the installation on one of my hosts the seQure-~p! . : 82 SECURE-~Tp # SEe~E’~T.P vines ....8~: ,~ :~i~E~ ’ ~ # ~NES " : :: ~ ~ ....: /etc/protocols looked like this, e.g.: ttp ~ 84 : TTP / .:~ T:TP :: n~net:igp 85: ~ NSFNET~IG~ :. ~:N~FNET~IGp " : ...... ~= /etc/protocols dgp . .86 DGP #: Disslmi~ar :Ga£ei~ay Protocol /etc/protocols: tcf / 87 TCF.. # TC~ ::: ’ : $Id: protoco~s,~ 1.2 2001/0!/29 17:29:30 notting Exp $ eigrp " 88 EIGRP : W Enhanaed Inter Internet (IP) protocols - ..~ ~. What if the host does not send back a Protocol from: @(#)protocols 5.1 (Berkeley) 4/17/89 Unreachable (though you used a protocol that Updated .for NetBSDibased on RFC 1340, Assigned Numbers (July actually does not exist)? This can have two reasons. First, it could be that you have found an AIX, HP-UX see also http:/iWW~,isi~edugin-~otes/iana/ass!gn~entsiProtocol numbirs ..... ~ or Digital Unix machine or the set of rules of the host does not allow access to these ports. So, at first, verify what kind of host you scan (among other possibilities with fingerprint OS detection) or else you igmp 2: . IGMP~ ¯ #.internet group maKagement can assume that it gets filtered/blocked. Note: The detection of such an attack is quite simple (and belongs to the section of Protocol Anomaly Detection). Anomaly Detection will be discussed in the next chapter (Possibilities of analysis), now, it is sufficient to know that traffic is searched for "anormalities" and the use of a non-existant protocol belongs to these "anormalities". [] Denial of Service (DOS) DoS (Denial of Service) attacks normally aim to paralyze the target server so that it is not reachable for some time. There are so many techniques by wich you can "exhaust" the resources of the target host. In the following I present you the most common: ICMP Flooding: netblt 30 - NETBLT ~-~ ¯ #Bulk Data. T~ansfer. Pr0tocol ICMP Flooding "uses" ICMP. If a host receives an mfe~nsp 31 . M~E~NSPI # MFE NetworklServices:Pro~oco~ merit~inP ...... 321-MERIT~NP . ICMP echo request it will normally try to answer 3pc 34 !3PC #Third. Pa~:ty:connectProtocol . with an ICMP echo reply. This behaviour is used idpr 35 IDPR . #Inte£~Domai~PoEicy Routing~. with ICMP Flooding: If you send the victim too Protocol . xtp 36 XTP : #.Xpress Tranfer Protocol many echo requests its resources will be working ddp ~ $7~~i DDP ...../!# Datagram Delivery Protocol idpr~cmtp:i.i38~i IDPR%CMTP !~ #~:IDPR Control Message on it to reply to these requests (as echo replies). tp++.~:39:. : TP~÷ #TP÷+Transport Protocol As the IP of the attacker is mostly additionally il- 40’. : IL # IL Transport Protocol spoofed it does not get the replies but someone ipv6....41 :. IP46 # IPv6 sdrp 42 SDRP # SourceDemand Routing Protocol else. ipvO-route 49’ IPv6-Route # RoutingHeaderfor IPv6.. ipv6 -frag 44. IPv6-Frag # FragmentHeader.for IPv6 idrp 45 IDRP " # Inter-Domain Routinq Protocol SYN Flooding: rsvp 46 RSVP- # Resource ReSerVati~o~iP~otoeol gre 4.7 GRE # Generic Routing EncapsulatiOn To understand SYN Flooding, I present again the mhrp 48 MHRP #. Mobile Host Routing:Protoco[ bna 49 BNA # BNA "normal" three-way-handshake: ipv6 - crypt 50 IPv6-Crypt # Encryption: Headerfor IPv6 ip~6-auth 51 IPv6-Auth #Authentication Header for IPv6 SYN " i~nlsp 52 I.-NLSP #Integrated. Net Layer Security TUBA swipe 53 SWIPE # IP withEncryption narp 54 NARP #[NBMAAddress Resolution Protocol mobile 55 MOBILE # IP Mobility ACK/SYN ’ tlsp 56 TLSP # Transport Layer Security Protocol Host. ~~ skip~ 57 SKIP # SKIP I <=- I Ho~t.. ~ I ipv6 i crop 58 IPv6-ICMP # ICMP for IPv6 ---- ipv6 -nonxt 59 IPv6-NoNxt # No Next Header for IPv6 ipv6 -opts 60 IPv6-Opts # Destination Options for IPv6 ’ : ACK ’ # 61 # any host internal protocol Host A ’ I " ..... > [ HOSt B i cftp 62 CFTP # CFTP ~-~--- # 63 # any local network sat-expak 64 SAT-EXPAK # SATNET and Backroom EXPAK kryptolan 65 KRYPTOLAN # Kryptolan rvd 66 RVD # MIT Remote virtua! DiSk Protocol Host A sends Host B a SYN to say that he wants a ippc 67 IPPC # Internet Pluribus Packet Core # 68 # any distributed file system connection, B answers with ACK/SYN and waits for sat-mon69 SAT-MON # SATNET Monitoring the final ACK with which the connection would visa 70 VISA # VISA Protocol AUUGN Vol.24 o No.2 - 38 - June 2003 complete. But what if the last ACK is not sent? If B sends back its SYN/ACK it waits (as said before) for 10 :13 : 32 ,104203 .i0,i0;I0~i0~53>192 168,1.3.53: udp: the ACK of A, until then it will be queued in the 4500 0038 00f2 2000 40ii 84:~<:0a0a :0a0a " connectin queue of"B". If the connection is complete cOa8 0103 0035 0035 0024 0000~0000 0000 (A sent B an ACK) it will be removed from the oooo ooo0 oooo oooo 0o0o oooo oooo ’ connection queue. But as mostly the IP address is spoofed B never receives an ACK (it should be so). i0:.~3:!32,!04272 10,10.!:01.!0 >i92~16~:i.3: ~) So, you can "fill" the connection queue as the host 28 (if~ag~ 242; 4@24 (t~l 64) " ~ ’4g’oo 0018.00f2 0003: 401i a421 oaoa Oaoa: cannot make additonal connections. :~ [I[CO[8- .OlO 0035 oo:61o::oooo’3 o:ooo, oooo oooo: oooo oooo UDP Flooding: With this flooding attack the target server is flooded Ping of Death: with UDP packets. If you send a UDP packet to a port Here, too, fragmentation of the IP packets again plays on the target server it will first check which service is a role. Here, I will go into more detail (only a little ;) responsible for this "request". Now, you choose on fragmentation. As told before, fragmentation random ports to which you send the packets to rise means that the size of datagrams is "reduced", the probability that a "Port Unreachable" is sent by whereas single fragments are not to be bigger than ICMP. As the result of such a flood the performance the MTU. When fragmenting you should actually of a network segment suffers (often) considerably. consider that you cannot fragment as you want, respectively that certain fields have to exist in every Land: fragment. So, every fragment has to contain, e.g., the Later you will see a filter which detects ff there is a IP protocol header to choose the right route. That the Land attack and can initiate counteractive measures, router can rebuild fragments to a datagram every but first the actual attack. A Land attack has similar fragment receives a 16 bit flag (of the original, "big" source and destination IPs. When sending, e.g., SYN datagram"). With this 16 bit flag it is later possible to packets (with same source/destination IP) to an open sort the single fragments to the right datagram. port there will start a race condition on the victims Additionally, there is a fragment offset which tells at host which leads to paralysis of the whole system. which position the fragment was in the original Here, a trace of a Land attack: datagram. But the position is in 8 octet units (as the position is measured in 8 octet units). Additionally, the "more-bit" shows ff further fragments of this datagram follow or not. If it is set to 1 further will follow if set to 0 it was the last fragment of the datagram. Now, we get to the actual ping-of-death As you can see again, source and destination IP are attack. Ping-of-death is given an offset of the last the same. fragment for which is: offset + fragment size > 65535 bytes. Thus, it is possible to flood internal 16 bit 12:95:26.916369 variables which would result, e.g., in a system crash. 192.168.38.110.135>192.168.38;110.135: udp 46 [tos0x3 ; ECT,.CE] " 4503 004a 96ac 0000 4011 15c7 c0a8 2668 c0a8.266e 00870087 0036 8433~6920~6:16d 206c 616d 6520 646f 7320 6b69 6420 6275 192¢i::68.38.liOi13:55Z92.i~8;g8.1~Oi13:5::udp 46 [~O~:OX3i~c~.;,eEl.-:.:~ ::).::: -: ’":- " ...... A ping is sent to the broadcast address, better said, 4503 004a:2923:.0000 4011 8350 coa8 266e many pings are sent. Packets sent to the broadcast coa8 266e. 00~7 0087 0036 8433 6920 616d address are sent to all hosts of the network. If you 206c 616d 6520 646f 73206b69 6420 6275 send many pings (ICMP echo requests) to the 7420 6920 7265 12:35:26.916682 broadcast address (e.g., 10000 per second) and you 192.168.38.110.135>192.168.38.110.135:udp have a relatively large network with 1000 hosts, it 46[tos0x3,ECT,CE] means that there are 10000 * 1000 ICMP echo replies 4503 004a 50a0 0000 4011 5bd3 c0a8 266e c0a8 266e 0087 0087 0036 8433 6920 616d per second at the victim’s host, that means 10000000 206c 616d 6520 646f 7320 6b69 6420 6275 ICMP echo replies. 7420 6920 7265 09:28:28.666073 179.1.35.168.43>256.256.30.255: icmp: echo request. :(DF) : The attack which you can see here is also called 4500 001C c014 4.000 le0! 6172 b387 a82b Snork. c0aS.leff 0800:fT:ff 0000 0000 0000 0000 " 0000 o0¢0 000o 00o0 00o0 0000 0000 Teardrop: 09:28:28.696073 68o90.226:250>256,256.30.255: icmp: echo request (DE) Here, the possibility of fragmentation of IP packets is 4500 001c c015 4000 le01 95cf 445a e2fa used. As you see in the description of the scans there �0a8 leff 0800 f7ff 0000 0000 3136 3803 is a fragmentation if datagrams are bigger than the 3133 3503’ 3137 3907 696e 2d6~ 6464 09:28:28.726073 138.98.10.247>256~256.30.255: size limit, this size limitation is called MTU (Maximum icmp: echo request (DF) Transmission Unit). With this attack, fragments ~ 4500 001c C016 4000 leOl 27ca 8a62 0af7 overlap and as a result of this overlap many OSs have cOa8 leff 0800 f7ff 0000 0000 0332 3236 (had) problems and mostly crashed the system 3938 0331 3638 0769 6e2d 6164 6472 AUUGN Vol.24 ~ No.2 - 39 - June 2003 09:28:28.756073 130 ~113 . 202 ,100 > 256.256.30.255: (http : //www. freebsd, org/smp/index, html). icmp: echo request. I(DF! ~ ~ ~, .... 4500 001c c017 4000 ~e0! 70~� 82711~a64 cOa8 leff 0800 f7ff~O000 0000 Q231 .3002 FreeBSD 5.1 will continue to be released from the 5- 3938 0331 3338 0769 6e2d 6164 6472 ~ .... CURRENT development stream. For more details ... about the milestones for reaching 5-STABLE, see the 5-STABLE Roadmap page For some time, there also existed DDoS attacks (http : //www. freebsd, org/doc/en/articles/5 -roadmap). (Distributed Denial of Service). As the name suggests it is a distributed/networked DoS attack. The The current release engineering TODO list is also attacker (client) looks for other hosts/networks,.. available which are easy to exloit. These first infected hosts are (http ://www. freebsd, org/release/5, iR/todo, html). the so called handlers. Handlers infect further This list is updated periodically through the release hosts/networks, these infected hosts are then called cycle. agents, i.e. as a datagram: SCHEDULE Action Expect Description ed Actual Handler " :. Handler :Handler - CURRENT The src/code freeze code freeze for 5.1. Commits to HEAD require o5/o5 o5/o5/ re@FreeBSD, org /o3 03 approval. Later, agents execute attacks. 5.1-BETA 5. I-BETA release of This is the first article out of 2. We will continue in o5/o5 15/o5/ x86, alpha, sparc64, the next issue of LinuxFocus. /o3 O3 and ia64. 5. I-BETA2 Second 5.1-BETA 19/05 22/05/ release of x86, alpha, This article is re-printed with permission. The originals /03 03 sparc64, and ia64. can be found at: RELENG 5 1 Branch of s rc / from hap://www, linuxfocus, org / English/ May2OO3 / article branched HEAD for the release. 292.shtml Note: no branch for 30/05 31/05/ RELENG_5 will happen /03 O3 at this time. Turn off Turn off WITNESS, FreeBSD 5.1 Release debugging INVARIANTS, and for malloc debugging Process RELENG 5 1 30/05 31/05/ options similar to [email protected]> /03 03 what was done for 5.0. Last modified: May 31, 2003. First x86, alpha, sparc64, release and ia64 images INTRODUCTION candidate released and uploaded 3o/o5 to ftp- This is a specific schedule for the release of FreeBSD /o3 _- master. FreeBSD. org. 5.1. For more general information about the release src/ Unfreeze HEAD src. engineering" process, please see the Release unfrozen Continue to coordinate Engineering section significant check-ins (http ://www. freebsd, org/releng/index, html) of with re@FreeBSD, org in the web site. 30/05 31/05/ order to work towards /03 O3 5 -STABLE. General discussions about the release engineering process or quality assurance issues should be sent to Ports tree Tentative date of the public FreeBSD-qa mailing list (FreeBSD- tagged 3o/o5 27/05/ RELEASE 5 1 0 tag for qa@FreeBSD, org). MFC requests should be sent to . /o3 O3 ports. re@FreeBSD, org. Version The files listed at http://www.freebsd.or numbers g/doc/en US.ISO8859- One of the major features of FreeBSD 5.1 will be bumped further refinement of the re-worked SMP support i/articl~s/releng/art icle.htmI#VERSIONBUMP introduced in FreeBSD 5.0. For specific information about the progress towards 5.1-RELEASE in this 02/06 are updated to reflect -- FreeBSD 5.1. area, please see the SMP Project page /03 AUUGN Vol.24 ~ No02 - 40 - June 2003 Action Expect Description ed Actual The principal author of this position paper (Raymond) has been a Unix developer since 1982, is a technical src/tree Tag the RELENG 5 1 specialist in systems programming technologies tagged 02/06 branch with related to those at issue, and is a historian whose /03 -_ RELENG 5 1 0 RELEASE. writings on the open-source community and Unix doc/tree o2/06 3o/o5/ Tag the doc/ tree with ([TNHD], [CATB], [TAOUP]) are widely considered tagged /03 O3 RELEASE 5 1 0. authoritative both within the community and outside it. He has been since 1997 one of the leading Final Start x86, alpha, theorists and (both in his individual capacity and as builds 02/06 sparc64, ia64, and the president of OSI) one of the principal /03 -- pc98 builds. spokespersons/ambassadors for the open-source Warn Heads up email to community. hubs@FreeB hubs@FreeBSD, org to SD. org give admins time to While the authors are affiliated with the Linux prepare for the load community, our argument is also motivated by larger spike to come. The site concerns. Unix, Linux, and the open-source administrators have movement are vital components of the Internet and frequently requested the World Wide Web. SCO/Caldera’s attempt to assert 02/06 advance notice for new proprietary control of these technologies is an indirect /03 _- ISOs. but potent threat against the Internet and the culture that maintains it. What is at stake here is not just the Upload to Release and packages disposition of a particular volume of computer code, ftp-master 04/06 uploaded to ftp- but what a_mounts to a power grab against the future. /03 -- master. FreeBSD. org. FreeBSD FreeBSD 5.1 is This document, originally proposed as a draft brief of 5.1 05/06 announced to the amicus curiae, has been endorsed as an OSI position Released /03 _- mailing lists. paper by OSI’s Board of Directors. The Board has concluded on advice of counsel that OSI cannot seek FreeBSD A formal press release amicus status in advance of pleadings. The option to 5.1 Press statement is in the seek amicus status at a future time remains open. Release works and should be released at this time to This document is an evolving work in progress. the www. FreeBSD. org SCO/Caldera’s complaint against IBM disparaged the o5/o6 website and various work of thousands of individual open-source /o3 -- tech publications. contributors. These contributors feel themselves personally and professionally wronged by This article is re-printed with permission. The originals SCO/Caldera’s unfounded allegations. In the can be found at: tradition of the open-source movement, hundreds of individuals are now sending in their patches to help http: / / www.freebsd, org / releases / 5.1R/ schedule, html inform and evolve the OSI’s position. Copyright ® 1995-2003 The FreeBSD Project. All rights reserved. SCOPE OF THE POSITION PAPER This position paper is written in specific response to SCOovs.oIBM: the Open SCO/Caldera’s complaint Ill filed on the 6th of March 2003 in the Third Judicial District of Salt Lake Source Initiative County, State of Utah. It is not within OSI’s competence or knowledge to Position Paper on the address the specifics of the business relationship between SCO/Caldera and IBM, or the terms of their Complaint contract. It is, however, very much within our Author: Eric S Raymond The Open Source Initiative (OSI) is a 501(c)3 nonprofit Unlike SCO/Caldera’s complaint, we have provided educational association with offices in Palo Alto, direct hyperlinks to browseable versions of all the California. OSI is one of the principal advocacy sources which back our facts. organizations of the open-source community, which is alleged in SCO/Caldera’s complaint to have been In this position paper, we focus on the following beneficiary of tortious and illegal behavior by IBM. allegations, and show that they are incon-ect or AUUGN Voi.24 * No.2 - 41 - June 2003 fundamentally misleading: computer processors. UNIX, on the other hand, commonly links 16 processors and can successfully Paragraph 1.(c) link up to 32 processors for simultaneous operation." "UNIX and SCO/UNIX are widely used in the corporate, or "enterprise" computing environment" Paragraph 90: Paragraph 23 "To accomplish the end of transforming the enterprise software market to a services-driven "Except for SCO, none of the primary UNIX vendors market, IBM set about to deliberately and ever developed a UNIX ’flavor’ to operate on an Intel- improperly destroy the economic value of UNIX and based processor chip set." particularly the economic value of UNIX on Intel- based processors. " Paragraph 57 Paragraph 93: "When SCO acquired the UNIX assets from Novell in 1995, it acquired rights in and to all (1) underlying, "Rather, IBM is obligated not to open source AIX original UNIX software code developed by AT&T Bell because it contains SCO’s confidential and Laboratories," proprietary UNIX operating system." Paragraph 57 Paragraph 94: "When SCO acquired the UNIX assets from Novell in "Over time, IBM made a very substantial financing 1995, it acquired rights in and to all (1) underlying, commitment to improperly put SCO’s confidential original UNIX software code developed by AT&T Bell and proprietary information into Linux, the free Laboratories, " operating system." Paragraph 75: Paragraph 99: "The name ’Linus’ [sic] was taken from the person "The only way that the pathway is an ’eight-lane who introduced Linux to the computing world, highway’ for Linux to achieve the scalability; SMP Linus Torvalds." support, fail-over capabilities and reliability of UNIX is by the improper extraction, use, and Paragraph 78: dissemination of the proprietary and confidential UNIX Software Code and libraries. Indeed, UNIX was "The primary purpose of the GNU organization is to able to achieve its status as the premiere operating create free software based on valuable commercial system only after decades of hard work, beginning software." with the finest computer scientists at AT&T Bell Laboratories, plaintiffs predecessor in interest. " Paragraph 82: OSI submits that these claims are uniformly without "Virtually none of these software developers and merit, and proposes to establish that in the remainder hobbyists had access to enterprise-scale equipment of this position paper. and testing facilities for Linux development. " Technically-inclined readers will probably wonder why Paragraph 84: various apparently relevant topics (such as Minix, or the GNU project, or the Bell Labs research versions, "Prior to IBM’s involvement, Linux was the software or other proprietary Unixes) are not covered. Please equivalent of a bicycle. UNIX was the software remember that this document is not a tutorial in Unix equivalent, of a luxury car. To make Linux of history; history that does not bear on SCO’s necessary quality for use by enterprise customers, it allegations has been omitted. must be re-designed so that Linux also becomes the software equivalent of a luxury car. This re-design is not technologically feasible or even possible at the HISTORICAL AND TECHNICAL BACKGROUND° ~I-[E enterprise level without (1) a high degree of design ~ coordination, (2) access to expensive and MEANING OF ~UNIX sophisticated design and testing equipment; (3) access to UNIX code, methods and concepts; (4) The falseness of SCO/Caldera’s allegations is partly UNIX architectural experience; and (5) a very cloaked by the fact that their complaint uses the term significant financial investment." ’Unix’ in three different ways. Paragraph 85: Among technical people and computer prograrmners, ’Unix’ describes a family of computer operating "For example, Linux is currently capable of systems with common design elements, all patterned coordinating the simultaneous performance of 4 on (but not necessarily derivative works of) the AUUGN V01.24 ~ No.2 - 42 - June 2003 ancestral Unix invented at Bell Labs in 1969. As LINUX AND THE ADVENT OF OPEN-SOURCE SCO/Caldera observes in its complaint, Unix operating systems dominate serious computing, and PROGRAMMING have for more than twenty years. There have been hundreds of different Unixes in this sense, exhibiting SCO/Caldera’s complaint cannot be understood variations analogous to dialects within a language. without reference to a seismic shift now occurring in Fortunately, only a handful of the principal dialects the software industry. The root of the shift lies in the are relevant to this lawsuit. approximate doubling of hardware capacity every eighteen months which has been the trend since the When we wish to be clear that this is the definition we mid-1970s. This means that the typical complexity of are using, we will refer to ’Unix-family’ operating software designed to fully utilize state-of-the-art systems. Use of the term ’Unix’ to describe any Unix- hardware also doubles every eighteen months, family operating system was common before escalating the difficulties of software engineering to SCO/Caldera’s acquisition of the historical Unix previously .unimagined levels. codebase in 1995; AT&T’s lawyers strove against it in vain as far back as the early 1980s. When we use the In the mid-1990s it began to be understood that the term ’Unix’ without qualification elsewhere in this traditional production models for software were paper, this is the sense we intend. running out of steam, increasingly unable to produce an acceptably low defect rate at these escalating The term ’Unix’ is sometimes also used (primarily by complexity levels. There was much talk of a "software historians of computing) more strictly, to describe crisis" and attempts to resolve it through various only those Unix-family operating systems which are attempts at process improvement. derivative works of the original Bell Labs Unix. To avoid confusion, we shall call any operating system of These attempts at process improvement consisted this kind a ’genetic Unix’. largely of introducing more formality, rigor, centralization, and statistical monitoring into the Legally, the term ’Unix’ has been since 1992 a software-development process. They had honorable trademark of The Open Group[2], a technical precedents in the systematization of assembly-line standards organization, and describes any operating manufacturing and industrial process control in the system (whether genetic-Unix or not) that has been 20th century. But producing software is not like verified to conform to the published Unix standard. producing automobiles or soap flakes. The analogy to We will refer to an operating system of this kind as a industrial process control turned out to be ’trademark Unix’. The required attribution is ’UNIX is fundamentally misleading, and all these attempts a registered trademark of The Open Group’. [3] failed, merely adding additional cost to the process However, The Open Group’s strict construction of the without reliably reducing defect rates. term ’Unix’ is more honored in the breach than the observance. Relief came from an unexpected quarter -- from the loose-knit community of programmers and engineers Neither SCO/Caldera nor old SCO has ever owned the associated with the Internet and the Unix operating UNIX trademark. IBM neither requested nor required system. Since the 1960s, the Internet and Unix SCO’s permission to call their AIX offering a Unix. hackers[5] had been pioneering a style of software That decision lies not with the adventitious owner of engineering which reversed the premises of industrial the historical Bell Labs source code, but with The software development. Open Group. Instead of centralization in large programming teams, The Linux operating system is Unix-family and the Internet style used small distributed programming generally referred to as a Unix, but is neither a groups. Instead of process control and hierarchy, the genetic Unix nor a trademark Unix. Linux was Internet style used peer review and open standards. independently created by Linus Torvalds in 199114], Most importantly, the Internet style abolished secrecy and most-versions have not been put through the in favor of transparency and what came to be called rather expensive process required to verify "open source" code. conformance with The Open Group standards. Early examples of this mode of development included Linux conformance to the trademark Unix standard Berkeley Unix from about 1977, the GNU project from can be demonstrated, however. It was done once by a 1983, and the X Consortium from 1983. All three Linux vendor in England named Lasermoon. But the flourished within the Unix community. When Linus Open Group’s rules require re-testing any time the Torvalds launched Linux in 1991 he was operating operating system changes; given the pace at which within a well-established tradition. Linuxes evolve, the cost to maintain certification would have been prohibitive. To the surprise of all concerned, after about 1997 it became apparent that this was the answer (or, at The name is spelled either as ’Unix’ or ’UNIX’; its least, an important part of the answer) that the inventors prefer the former. software industry had been looking for. Defect rates and costs associated with open-source software proved dramatically lower than for closed-source AUUGN Vol.24 ~ No.2 - 43 - June 2003 software[6l. The most skilled programmers flocked to it made the Version 7 Unix source code (the root of all the new mode. The explosive success of Linux, and later versions of the Bell Labs codebase) available for IBM’s adoption of it, is a consequence of the free download on its website[7]. dynamism of open-source development. Caldera Systems International itself, the company now trading It is significant that SCO/Caldera has not asserted as SCO, was founded to ride the Linux wave. any direct IP claim over Linux on the basis of its ownership of the historical Bell Labs code. At best, We did not, however, use the term "seismic shift" ownership of the Bell Labs code could be construed to casually. As with previous technological revolutions, give SCO/Caldera certain proprietary rights with one of the prompt effects has been what the respect to genetic Unixes. Those rights are far more economist Joseph Schumpeter famously called limited than SCO/Caldera would have one assume, a "creative destruction" -- to wreck the business models point which we will develop later in this position of a great many companies attached to the legacy paper. model of closed-source development. RELATIONSHIPS AMONG THE UNIX VARIANTS AT ISSUE The evolution of today’s software industry is confusing to many people because it is proceeding in Here is a schematic diagram of the relationships exactly the opposite direction from previous among the Unix variants at issue in this lawsuit: technological revolutions. Previously, the rationalization of production has been associated with movement away from decentralized cottage industry towards a factory system organized around concentrations of capital. This time, the move is away from the factory system, towards a new form of artisanship and individualism critically enabled by cheap PCs and the Internet. Thus, Linux. This process panics companies like SCO/Caldera and Microsoft who stand to lose everything if they fail to adapt, but it should not be viewed with alarm by any disinterested observer. ~Arhat is actually happening is that the diseconomies of corporate scale are being competed out of software production -- the market is seeking a new and more efficient equilibrium. SCO/Caldera’s complaint is only a small piece of the fallout. There will be a lot more upheaval, and wailing and gnashing of teeth and waving of legal briefs, before this process fully resolves. ThE BELL LA~S CODEBASE There is a body of code and associated intellectual property (IP), originating in Bell Labs, which old SCO purchased from Novell in 1995. This IP had previously been owned by Unix Systems Laboratories (USL), and before that by AT&T. We will refer to this Relationships among various Unixes. IP by its location of origin, as the Bell Labs code. This chart[8] shows the major Unix lineages at issue, The contents of the historical Bell Labs codebase is indicating genetic relationships with arrows. well known; through most of its history, AT&T/USL/Novell tacitly ignored source license Vertical position on the chart indicates year of violations for non-commercial purposes, and many release. Horizontal position indicates which lineage senior Unix programmers still possess bootleg copies the Unix belongs to. Though there are many Unix of that source code. (The authors of this document lineages not shown here, this chart covers all that are could lay hands on several different releases without relevant to the issues raised in SCO/Caldera’s difficulty.) It is scarcely more difficult to obtain source complaint. We will briefly describe each lineage. copies of other major genetic Unixes such as AIX, HP- UX, and Solaris. The contents of these codebases, and AT&T lineage the general pattern of copyrights and other intellectual-propeld:y claims in the source code, is These are the Unixes directly derived from the Bell therefore well known in the Unix community. Labs codebase. The AT&T lineage through a succession of owners; first AT&T itself, then Unix Until 19 May 2003, SCO/Caldera and old SCO before AUUGN Vol.24 o No.2 - 44 - June 2003 Systems Laboratories (USL), then Novell, then old AT&T codebase. SCO, now SCO/Caldera. The dashed red arrow from 4.2BSD to System V The early releases in this lineage (Version 7, System represents stolen property. AT&T, SCO/Caldera’s III, System V releases 1 through 3, and ending with predecessor in interest, took code from BSD Unix into Release 4 in 1988) were developed at AT&T itself[9] System V, removing copyright notices and and are collectively known as "AT&T Unix". attributions in violation of the Berkeley license. We’ll examine the consequences of this misappropriation The later releases are generally known as later on. "UnixWare" after the brand name applied to them at Unix Systems Labs and Novell[ 101. UnixWare is the The dashed blue arrow from UnixWare 7 to AIX 5L product old SCO acquired in 1995, which Caldera represents code incorporated into AIX from UnixWare acquired along with the server division of old SCO in 7 during the Monterey project. SCO/Caldera alleges 2001 and sold alongside of its Linux distribution. that IBM misappropriated this code and merged it into Linux. All Unixes in the AT&T lineage are genetic Unixes, trademark Unixes, and proprietary. The arrow from the open-source BSDs to Linux 2.0 represents sharing of some device drivers and system AIX lineage utilities. AIX is IBM’s own Unix, originally developed 1987- There is another major variant, Solaris, not shown on 1990. Genetic Unix, trademark Unix, proprietary. the chart. Solaris enters the discussion because it is SCO lineage the leading enterprise-capable proprietary Unix; its features therefore provide a standard upon which to SCO’s own versions of Unix date back to 1979, ground assertions about which technologies fall originally under the name XENIX. After old SCO under that rubric. It derives from System V and BSD. acquired the Bell Labs codebase in 1995 it sold two As of mid-2003 it is still the dominant Unix in the Unixes: OpenServer based on the XENIX code, and a enterprise market (sold in conjunction with server UnixWare descendant. All SCO Unixes are genetic hardware by Sun Microsystems). Genetic Unix, Unix, trademark Unix, and proprietary. trademark Unix, proprietary. BSD lineage CORPORATE HISTORY Berkeley System Distribution (BSD) is is a series of Unix releases developed primarily at the University In 1956, AT&T settled an antitrust action brought by of California at Berkeley but incorporating code from the United States. Under the consent decree, AT&T’s universities and hundreds of contributors at business was limited to "common carrier research laboratories worldwide. communications services." Bell Laboratories was required to license its patents on reasonable and non- BSD Unix is important for this lawsuit because its discriminatory terms. [ 11 ] three modern variants are genetic Unix, but no proprietary rights to them can be claimed on the The consent decree or "Final Judgement" was still in basis of ownership of the Bell Labs source code (for full force when work on Unix began at AT&T’s Bell reasons we shall develop later in this position Laboratories in 1969. paper). Old SCO was founded in 1979 as a Unix porting and The BSDs are genetic Unixes, not trademark Unixes. consulting company. The first SCO product offering, They are open source. an Intel Unix port, was in 1983. [12] [13] Linux lineage On January 1, 1984, the Bell System was broken up. [141 The old regime of the "Final Judgement" had Launched in Finland in 1991, developed on the been overthrown by the "Modified Final Judgement": Internet, contributed to by thousands of people. AT&T could enter the software business. They did. Neither genetic nor trademark Unix ("Linux" is a That year, the corporation began to develop Unix as a trademark of Linus Torvalds). Open source. commercial product. Note that SCO OpenServer (at the end of the line of In 1990, AT&T reorganized its business unit Unixes descended from XENIX) and SCO Unixware (at responsible for UNIX System V, the AT&T UNIX the end of the line of AT&T Unixes) are two different Software Operation, into a wholly-owned subsidiary, products of SCO; but XENIX was old SCO’s original UNIX System Laboratories, Inc. (USL). [ 151 [ 161 The Unix, while UnixWare was what it picked up when it next year, AT&T sold a minority stake in USL to bought the AT&T codebase. The dashed arrow eleven selected companies. [ 17] [ 18] [ 191 between UnixWare 2 and UnixWare 7 reflects the fact that it was a product designed to merge OpenServer 5 Late in 1991, the Univel joint venture was formed with UnixWare 2 (5 + 2 = 7) after old SCO bought the between Novell and USL. [20] [21] AUUGN Vol.24 ~ No.2 - 45 - June 2003 involved in open-source development between 1998 In 1993, Novell bought USL. [22] [23] USL and Univel and 2000. It invested in Caldera and TurboLinux, became the Novell UNIX Systems Group. [241 bought out a popular on-line store called LinuxMall, and boasted of offering more open-source and Unix Novell transferred the UNIX trademark to X/Open expertise than anyone else in the world. (later to become The Open Group). In a press release at the time of the Project Monterey In 1994, a group of Novell alumni formed Caldera launch[27], Doug Michels (the co-founder of old SCO Systems International with the backing of Novell’s who remained at its head until Caldera Systems founder, Ray Noorda. Caldera was intended to be a International acquired the brand in 2001) had this to Linux distributor, aiming at the business and say: "The whole idea of shared development has been enterprise market. ubiquitous in Unix for years. The Internet has magnified that and open source is bringing In 1995, Novell sold the UnixWare business to old collaborative development to a new level." He SCO. [251 [261 observed, correctly, that it would be important for Unix vendors to continue their embrace of the open- In 1998, old SCO, IBM, and Intel began cooperating source community, most notably Linux. At that time, on Project Monterey, a Unix port for the Intel Itanium, SCO got it. a 64-bit microprocessor. In a web page from 2000 [28], (since removed from Also in 1998, IBM ported its first application (DB2) to their site) old SCO repeated this theme: "The concept Linux. of collaborative development and shared source has been ubiquitous in the UNIX system industry from In 2000, Caldera Systems International held an IPO the beginning. Today, the Internet has magnified that as a Linux company. trend dramatically and led to the exciting phenomenon that is Linux." Also in 2000, IBM began to support Linux kernel development. THE MEANING OF ~ENTERPRISE SCALABILIT¥~ In 2001, SCO split up. The rump of the company SCO/Caldera uses the term "enterprise computing" focused on its Tarantella product. The SCO brand, and various other derivatives in its complaint, but SCO OpenServer and the Bell Labs codebase were fails to define it. It is a marketing term suggesting acquired by Caldera. very high operational reliability. The term is generally held to encompass the following technologies: In 2002, Caldera began trading under the SCO name. symmetric multi-processing (SMP) In the remainder of this document, we will use the following terminology: The ability to allocate work in a computer among multiple processor chips in such a way that all are Caldera Systems International as efficiently utilized as possible, leading to Caldera before the 2001 acquisition of completion of programs in the shortest possible the SCO server division. time. old SCO SCO before the 2001 acquisition. journaling file systems SCO/Caldera The merged company Construction of an operating system’s code for managing hard drives and other storage devices in such a way that data cannot be lost or garbled by SCO~s HISTORY WITH OPEN SOURCE power outages or most categories of hardware failure. Caldera Systems International, the corporate entity now trading as SCO, was founded as an open-source logical volume management (LVM) centered company by a group of former Novell executives who were enthusiastic about Linux. Its The ability to make multiple physical disk storage only product was a Linux distribution. Caldera Linux devices appear to be a single large disk volume, was not a market success, however. It became an incorporating redundant storage and error checking also-ran in the commercial Linux distribution market such that the failure of any one of the physical dominated by Red Hat (a North Carolina corporation) volumes still allows all the data to be recovered. and SuSE (a German import). In mid-2002 co-founder president and CEO Ransom Love was pushed out non-uniform memory access (NUMA) during the shakeup that accompanied Caldera’s acquisition of old SCO’s server division. A method of configuring a cluster of microprocessors in a multiprocessing system so that Old SCO, prior to its acquisition by Caldera, did not they can share memory locally, improving produce its own Linux distribution, but became performance and the ability of the system to be AUUGN Vol.24 ~ No.2 - 46 - June 2003 expanded. deployments with no individual site requiring enterprise technology. hot-swappable hardware Examination of old SCO’s 10Ks reveals that, even The capability to add and remove hardware while were we to assume that every dime of their revenue the system is running, without interrupting came from the enterprise market, their 2002 share processing. could not have exceeded 3.1%[29]. This is at the level of statistical noise. support for large memory address spaces via 64-bit processors In fact, SCO/Caldera’s own complaint concedes that its historical strength has been in low-end systems Large database used by small businesses. The principal author did SCO Unix consulting in the early 1990s, configuring Other terms sometimes encountered include systems for a small-town police station and a dental "transparent failover" and "high availability". These practice; anyone familiar with the industry would features are largely consequences of the application of recognize that these were entirely typical old $CO the technologies specified above, with hardware that deployments. And SCO/Caldera’s most recent 10K permits a computer system to detect and compensate [30] states, in part "Our business is focused on for internal errors. serving the needs of small businesses, including replicated site franchisees of Fortune 1000 Solaris, the industry benchmark for a high-end companies[31], to have reliable, cost effective Linux enterprise-scalable Unix operating system, features and Unix operating systems and software products to all of these. power computers running on Intel architecture." Conspicuously absent in SCO/Caldera’s most recent mission statement is any talk of 16-way servers or SCO/CALDERA MISREPRESENTS ITS OWN HISTORY AND enterprise data centers. In fact, SCO’s history of non- POSITION performance in the enterprise market is not only consistent from long before the beginning of IBM’s SCO/Caldera’s complaint is factually defective in that involvement with Linux in 1999-2000, it predates the it implies claims about SCO/Caldera’s business and 1991 origin of Linux itself. SCO/Caldera’s claim that technical capabilities that are untrue. It is, indeed, IBM’s behavior with regard to improving Linux’s very cleverly crafted to deceive a reader without enterprise scalabflity did it harm should be evaluated intimate knowledge of the technology and history of in the light of the failure of both incarnations of SCO, Unix; it gives false impressions by both the over more than a decade before that, to even seriously suppression of relevant facts, the ambiguous attempt to be competitive in the enterprise market. suggestion of falsehoods, and in a few instances by outright lying. SCO/CALDERA FALSELY CLAIMS TO HAVE BEEN UNIQUE AS AN ]_NTEL UNIX VENDOR SCO/CALDERA’S CLAIM TO HAVE BEEN A SIGNIFICANT ENTERPRISE PLAYER IS FALSE n paragraph 23 SCO/Caldera writes "Except for SCO, none of the primary UNIX vendors ever developed a SCO/Caldera’s attempts to confuse the issues in this UNIX "flavor" to operate on an Intel-based processor complaint begin early, in Paragraph 1.(c) where it chip set." asserts: "UNIX and SCO/UNIX are widely used in the corporate, or ’enterprise’ computing environment." This is false. Sun Microsystems is a primary Unix vendor by anyone’s definition, and their Solaris While thi.s claim is literally true, it is misleading in operating system was ported to the Intel 386 and sold that it fails to distinguish between the market share on that platform. IBM’s AIX was also ported to the of old SCO’s own Unixes (SCO OpenServer and 386 in 1987 and sold until 1995132]. Unixware) and those of competitors such as Sun, Hewlett-Packard, and IBM. By failing to so The complaint misleadingly implies that Unix was not distinguish, it conveys the impression that old SCO’s generally available on PCs other than from old SCO. market share in the enterprise segment was But, in fact, AT&T Unix was ported to Intel chips by significant, thus magnifying the putative harm done no fewer than six different software houses " and by IBM’s alleged misconduct. that’s not counting "own brand" ports maintained by PC hardware vendors such as Dell. The truth is otherwise. Old SCO never had significant enterprise market share either before or after its Up to 1994, when Linux made them irrelevant, the purchase of the Bell Labs codebase from Novell. Their principal author maintained an on-line product strength has been in franchise operations including comparison listing of all Intel Unixes known to him. McDonald’s, Burger King, Pizza Hut, and Ground The list of vendors from the final archival version [33] Round, which involve lots of parallel small reads, in part: AUUGN Vol.24 ~ No.2 - 47 - June 2003 Labs codebase had been incorporating large amounts Univel UnixWare Release 4.2 Consensys System V Release 4.2 of software from the BSD sources. The University’s UHC UnixWare Release 4,2 cause of action lay in the fact that AT&T, USL and ESIX System V Release 4.0.4.1 Novell had routinely violated the terms of the BSD Micro. Stat±onTechnology:iSVr4 UNIX license by removing license attributions and Microport System v Release.4.0 version 4 UHC Version 4.0.3.6 copyrights. SCO Open Desktop 3.0 BSD!386 1.0 The exact terms of final settlement, and much of the NEXTSTEP 3,1 Yggdrasil.Linux/GNU/X judicial record, were sealed at Novell’s insistence. The Soft Landihg Software key provisions are, however, described in Twenty Years of Berkeley Unix: From AT&T-Owned to Freely or personally ran two of these " Microport and Redistributable, , [McKusick99]. Only three files out of Yggdrasil " and a third not listed, which was the Dell eighteen thousand in the distribution were found to own-brand port. be the licit property of Novell (and removed). The rest were ruled to be freely redistributable, and continue As far back as 1983, old SCO had already had serious to form the basis of the open-source BSD competition in the 386 Unix market from Interactive distributions today. Systems Corporation (later bought by Sun Microsystems). Ten years ago " at a time when Linux was in its infancy " the courts already found the contributions Not only was old SCO far from unique as an Intel of other parties to what is now UnixWare to be so Unix vendor, but SMP Unix implementations date as great, and Novell’s proprietary entitlement in the code far back as 1985. The Sequent Corporation produced so small, that Novell’s lawyers had to settle for a machines[34] featuring 2 to 30 80386 processors at minor, face-saving gesture from the University of that date. These machines ran DYNIX, a variant of Calfomia or walk away with nothing at all. Berkeley Unix. If the current lawsuit proceeds, justice requires that Better yet, consider the following quote from a 1991 the court and settlement records in the AT&T-vs.- old SCO press release[35] (emphasis added): Berkeley lawsuit be unsealed, with a view to determining the degree to which SCO/Caldera’s IP or the benefit of the entire user base, as well as the claims are nullified by the results. industry as a whole, SCO encourages all UNIX System vendors for Intel processors to join SCO, This history is well-known in the open-source USL, Intel, ISC and OSF in supporting the iBCS-2 community, and helps explain why SCO/Caldera’s standard for x86 applications. claim that ownership of the historical Bell Labs code gives it substantial rights over other Unixes such as AIX is regarded among old Unix hands with near- SCO/CALDERA MISREPRESENTS THE SCOPE OF ITS universal disdain. Some of the court documents, RIGHTS OVER UNIX including the 1993 ruling, are now available on the web I371. SCO/Caldera alleges (Paragraph 57): "When SCO acquired the UNIX assets from Novell in 1995, it If, as SCO/Caldera says, it inherited acquired rights in and to all (1) underlying, original AT&T/USL/Novell’s rights to Unix, it also inherited UNIX software code developed by AT&T Bell the res judicata hat there are many sources of code Laboratories." and engineering experience in the Unix design tradition entirely independent of AT&T/USL/Novell’s SCO/Caldera neglects to mention that those rights intellectual property. And that, seven years before had been substantially impaired before its acquisition IBM’s behavior with respect to AIX and Linux became of the ancestral Bell Labs source code. There was a an issue, AT&T/USL/Novell’s proprietary stake in at legal action in 1992-1993, in which Unix Systems least one leading-edge Unix was already so diluted in Laboratories and Novell (SCO/Caldera’s predecessors comparison with the contributions it had received in interest) sued various parties including the from elsewhere that said stake could scarcely be said University of Calfomia at Berkeley and Berkeley to exist at all. Systems Design, Inc. for alleged copyright infringement, trade secret disclosures, and trademark SCO/Caldera would, for understandable reasons, violations with regard to the release of substantial prefer that the courts remain ignorant of the history, portions of the 4.4BSD operating system[36]. outcome, and implications of the BSD lawsuit. But, of course, it bears directly on SCO/Caldera’s claim in The suit was settled after AT&T’s request for an Paragraph 93: "Rather, IBM is obligated not to open injunction blocking distribution of BSD was denied in source AIX because it contains SCO’s confidential and terms that made it clear the judge thought BSD likely proprietary UNIX operating system." to win its defense. The University of California then threatened to countersue over license violations by The implied theory here is that "SCO’s confidential AT&T and USL. It seems that from as far back as and proprietary UNIX operating system" encompasses before System V Release 4 in 1985, the historical Bell the entirety, or at least a preponderance, of the AIX AUUGN V01.24, No.2 - 48 - June 2003 code, including those portions related to enterprise LVM (in the form of VxVM). But SMP for Intel scalability issues; and that SCO/Caldera therefore processors only entered the line in 1995 with may exercise ex post facto control, even for anti- UnixWare 2. PCI hot-swapping came in only in 1998 competitive purposes, over IBM’s use of Unix in its with Unixware 7. normal course of business. Ironically, UnixWare did not get usable SMP on Intel In fact, SCO/Caldera’s complaint relies on confusing until after Linux.The UnixWare implememtation was three separate scopes of control. One: those rights unstable [38] until mid-1997; Linux got working SMP that pertain to the SCO shared libraries mentioned in 1996 with the release of 2.0139]. early in the complaint (paragraph 36 and following) only to disappear from the exposition shortly As for 64-bit support, Linux had this in 1994, five afterwards. Two: those rights entailed in years before IBM became involved in Linux SCO/Caldera’s ownership of the SCO OpenServer development. Neither of SCO’s products has this codebase. Three: putative rights entailed in SCO’s capability yet in 2003. ownership of the historical Bell Labs source code (Unixware). In fact, not one of the key enterprise-scalability technologies was present in the ancestral Unix code Since IBM’s AIX is well known to contain large before UnixWare got a JFS in 1992. SCO’s complaint portions of Berkeley code (towards which IBM has by alludes to this: in paragraphs 46 to 48 they observe all accounts met its license obligations) that it required three years of development (1995- SCO/Caldera’s theory is at best extremely dubious. In 1998) to "harden" UnixWare for enterprise use. On other words, to prove its right to relief SCO/Caldera SCO’s own representation, the Bell Labs will need to show that whatever code IBM gave to the minicomputer-centered codebase of 1989-1995 is open-source community was neither legally obtained hardly more relevant to today’s enterprise scalability by both IBM and old SCO from a common source nor challenges on today’s PCs than the inner workings of independently developed. a WWlI-era jeep would be to the design of this year’s Formula One racing cars. SCO/CALDERA’S CLAIM TO OWN UNIX SCALABILITY SCO/Caldera’s claim to own the scalability techniques certainly cannot be supported from the TECHNIQUES IS WEAK feature list of its own SCO OpenServer, agenetic Unix. The latest version[40] advertises SMP up to only We observed previously that substantial contributions 4 processors (a level which SCO’s complaint from outside sources to the historical Bell Labs dismisses as inadequate), no LVM, no NUMA, and no codebase actually date back to before System V hot-swapping. That is, SCO/Caldera is alleging that Release 4 in 1985. But even if we were to stipulate IBM misappropriated from SCO technologies which do SCO/Caldera’s undiluted ownership of the entire Bell not appear in SCO’s own product. Labs code base, its claim to own the class of enterprise scalability techniques at issue in its complaint would be very weak. SCO/CALDERA IGNORES ITS OWN ROLE IN MOTIVATING A major reason that the historical Bell Labs code base THE DEVELOPMENT IT NOW DECRIES became nomadic among USL, Novell, and old SCO after 1990 is that it was already at that time SCO/Caldera charges (paragraph 82): "Virtually none senescent relative to newer Unixes like Solaris, Irix, of these software developers and hobbyists had HP-UX, Ultrix, and others. The Vax and 3B series access to enterprise-scale equipment and testing minicomputers for which the late versions of the Bell facilities for Linux development." Labs codebase were designed were years obsolete by 1995; the internal architecture of those variants of In making this claim, SCO/Caldera blithely ignores Unix is now primarily of historical interest. We noted the existence of facilities such as the Open Source previously that SCO/Caldera and old SCO made the Development Lab[41], an organization funded by "ancient Unix" Version 7 source code available for twenty-one companies including technology giants free, which rather disposes of the theory that the such as Intel, Hewlett-Packard, Cisco Systems, NEC, original Unix code had any residual IP value in the Dell, and Hitachi - and IBM. OSDL has lab facilities in marketplace of today. (SCO belatedly terminated this Beaverton, Oregon, and Yokohama, Japan. OSDL offering on May 19th 2003, apparently realizing how opened its first lab in January 2001, four months badly it damaged their trade-secret claims.) before IBM’s withdrawal from Project Monterey. From October 2000 to October 2002, one of its sponsors Furthermore, as previously noted, many Unix was Caldera Systems International! developers possess copies of SVrl through SVr4 versions of the historical Bell Labs source code. We OSDL is explicitly dedicated to assisting projects can therefore state that of the component aiming towards carrier-grade and data-center Linux. technologies for enterprise scaling, the Bell Labs It has supported over a hundred projects, most codebase includes a journaling file system (in the directly concerned with Linux scalability, performance form of the VxFS Veritas journaling file system) and improvements, fail-over and precisely those technical AUUGN Vol.24 ~ No.2 - 49 - June 2003 areas in which SCO/Caldera alleges that Linux could lead role in the very development they accuse IBM of have made no progress without the intervention of having unfairly and unlawfully pursued, they are IBM. incompetent. If they did know, their complafnt appears to verge closely upon perjury. The existence of OSDL demonstrates industry-wide interest from large hardware vendors in scalable Linux, sufficient to sustain development with or SCO/CALDERA MISREPRESENTS THE CAPABILITY AND without IBM’s participation. But there may be a more direct linkage. EFFORTS OF THE OPEN-SOURCE COMMUNITY When OSDL spun up, IBM gained a choice: work with Most of the allegations that we have so far discussed one small partner that lacks demonstrated expertise in the complaint have been greeted among Linux and or focus on the enterprise market, or join a large Unix developers merely with derision. Now, we are consortium of industry heavyweights with man- beginning to get to the claims that have stimulated a centuries of relevant experience. tidal wave of anger at SCO/Caldera among the open- source community in the weeks since their complaint That seems just about enough time for an astute IBM was published. strategist to conclude that old SCO was the less likely alternative to sustain a serious Linux development and support effort over time. To any technical person, SCO/CAU)ERA ~nSREPRESENTS THE EFFORTS OF THE SCO’s own failure to develop expertise beyond its small-business roots seems a more plausible OPEN-SOURCE COMMUNITY explanation for the switch to OSDL than some nefarious anti-SCO conspiracy by top IBM executives. When SCO/Caldera asserts (Paragraph 75): "The To establish its right to relief, SCO/Caldera would name "Linus"(sic) was taken from the person who have to show that switching horses to OSDL was not introduced Linux to the computing world, Linus defensible as a normal business decision. Torvalds." its use of the verb "introduced" appears to be an attempt to insinuate that Linux was in some But the earlier role of Caldera in hoisting itself on its way copied or pre-existent rather than an invention own petard was far more direct and less conjectural that Linus Torvalds originated. than this. Similarly, when SCO/Caldera asserts (Paragraph 78): Symmetric multiprocessing (SMP) takes an operating "The primary purpose of the GNU organization is to system from being able to manage a single processor create free software based on valuable commercial to utilizing two. The steps from two to four, four to soflware."it portrays the GNU organization’s original eight, and eight to sixteen are not trivial but are far works as being mere derivatives or clones. In doing less challenging by comparison. Thus, SMP was so, it flatly contradicts the evidence of major GNU perhaps the single most significant barrier between projects such as the Emacs editor that is shipped by the Linux of the early 1990s and what SCO/Caldera SCO/Caldera itself not merely on its Linux but on its itself characterizes as enterprise scaling. Unix product as well. The Emacs editor predated every commercial product with even roughly Alan Cox (a key Linux developer generally considered comparable features. Linus Torvalds’s chief lieutenant) led the early work on symmetric multiprocessing in 1995. A web Both implied claims cannot but be characterized as page[42], confirmed by a public newsgroup posting false, self-serving attempts to denigrate the work of from an employee of Caldera[43] establishes that the others in order to magnify SCO/Caldera’s imputed dual-processor motherboard on which he performed importance as the present owner of the historical Bell the development was provided by none other than Labs code. Furthermore, they are offensive to the tens Caldera itself! (perhaps hundreds) of thousands of skilled programmers who have collaborated in the invention The timing is notable. Caldera began contributing of modem open-source Unixes. directly to development of an enterprise-scalable Linux at around the same time old SCO acquired the historical Bell Labs codebase in 1995, five years SCO/CALDERA MISREPRESENTS THE STATE OF LINUX before IBM became seriously involved in Linux development in 1999-2000. NOW aldera acquired the SCO brand in 2001. During the In paragraph 85, SCO/Caldera claims: "For example, more than eighteen months between the cancellation Linux is currently capable of coordinating the of Project Monterey and the filing of the complaint, simultaneous performance of 4 computer processors. Caldera continued to garner revenues from the SMP- UNIX, on the other hand, commonly links 16 enabled kernel it distributed in SCO Linux. processors and can successfully link up to 32 processors for simultaneous operation.." If Darl McBride and complainants did not know at the time of the complaint that Caldera itself had played a 32-processor SMP was already implemented under AUUGN Vol.24 o No.2 - 50 - June 2003 Linux in 2000.[44] 24-processor operation, three times the 8-processor limit of UnixWare, was a high degree of design coordination demonstrated in 1998 on a Sun E10000145]. Earlier, we noted that the success of Linux has motivated a sweeping reappraisal of some of the Today, SGI is shipping Altix 3000 cluster computers central premises of software engineering. It is now that run Linux over 64 processors[46]. generally accepted that a high degree of design coordination can be achieved within the decentralized structure of open-source and Linux development; this has been demonstrated SCO/CALDERA GROSSLY MISREPRESENTS THE STATE OF repeatedly by open-source projects such as the LINUX BEFORE ][]~1~ Apache webserver (with around 66% market share), the Perl and Python scripting languages, A major part of SCO/Caldera’s complaint turns on (a) and Linux itself. representing pre-IBM Linux as a primitive makeshift being slapped together by garage-band amateurs. SCO/Caldera’s implication that this is impossible Their implied narrative is that (b) only the corporate is false and insulting. It is also dishonest. intervention of IBM made Linux a competitive SCO/Caldera, and Caldera before it, participated product, and that (c) IBM’s intervention was in turn in Linux development for eight years before this only efficacious due to the ineffable superiority of the complaint and demonstrated understanding of the primal Bell Labs code base. process through their actions (such as supplying Alan Cox with SMP hardware). They know better. All three of these assertions are not merely false, they are profoundly disrespectful to the many, many access to expensive and sophisticated design and developers worldwide who labored with sweat and testing equipment brilliance to craft Linux into a world-class operating Caldera itself had a significant role in providing system for eight years before IBM came on the scene. that access to Linux developers. The fun begins in paragraph 84, where SCO/Caldera (3) access to UNIX code, methods and concepts alleges: "prior to IBM’s involvement, Linux was the We noted earlier that access to UNIX code, software equivalent of a bicycle." methods and concepts is general in the community from which Linux development springs, and that This was a ’bicycle’ that, by actual measurement, said access is through codebases not subject to could pedal data over the Internet faster than SCO SCO’s proprietary control or IP rights. For more OpenServer. And which by 1996, three years before than thirty years there has been a flourishing IBM involvement, already featured SMP capabilities technical literature describing Unix operating absent in SCO OpenServer and a more stable SMP system architecture and concepts. UNIX system implementation than UnixWare. internals and architecture are routinely taught in university computer science courses. Indeed, old SCO/Caldera continues: "UNIX was the software SCO’s and SCO/Caldera’s own free publication of equivalent of a luxury car. To make Linux of necessary the Version 7 source code gave many programmers quality for use by enterprise customers, it must be re- licit access to the ancestral Unix code, methods, designed so that Linux also becomes the software and concepts. equivalent of a luxury car. This re-design is not technologically feasible or even possible at the¯ UNIX architectural experience enterprise level without (1) a high degree of design The open-source community encompasses more coordination, (2) access to expensive and sophisticated man-centuries of Unix architectural experience design and testing equipment; (3) access to UNIX code, than SCO/Caldera (or even the vastly larger IBM) methods and concepts; (4) UNIX architectural could ever dream of hiring. A vast literature on experience; and (5) a very significant financial Unix design and internals has been available for investment." over a quarter century. This paragraph depends on the presumption that the A significant number of Linux developers open-source community consists of amateurs and (including the principal author) are old Unix hands incompetents, incapable of coordinating to produce whose experience stretches back to Unix’s high-quality work. In fact, the Linux developers have formative years in the 1970s and early 1980s. We consistently out-thought, out-imagined, and out- read SCO/Caldera’s animadversions not merely as a coded old SCO’s and SCO/Caldera’s - which is an insult to us and our peers, but as precisely why old SCO went into the Linux tendentious distortion of history. professional services business, why it added Linux application compatibility to OpenServer, and why a very significant financial investment SCO/Caldera now finds itself without a business While this might appear plausible to a layperson, model and reduced to suing the handiest pair of deep and was true until relatively recently, it is no pockets. longer so. One of the characteristics of open- source development is that it is an inexpensive Let us take SCO/Caldera’s’s pre-requisites in order: process. Not without costs; people still need to be AUUGN Vol.24 ~ No.2 51 - June 2003 fed and salaried. But PCs are cheap, and the "steal" some ideas from AIX and implement them in personnel load of open-source development is Linux? If not, why not, and what’s the IBM official spread across a wider range of organizations and line? user consortia than was the case when process secrecy required a high degree of centralization A: First of all, before any of us were allowed to and formal management structure. contribute to Linux, we were required to take an "Open Source Developers" class. This class gives us Part of the reason SCO/Caldera is in distress is the guidelines we need to participate effectively in that the functional role it filled as a nexus of the open source community - both IBM guidelines capital and management skills is near to being and lessons learned about open source from others obsolete. Software development is simply in IBM. outgrowing the need for such organizations. SCO/Caldera is on the wrong side of history. We are definitely not allowed to cut and paste proprietary code into any open source projects (or In paragraph 99, SCO/Caldera continues: "The only vice versa!). There is an IBM committee who can and way that the pathway is an ’eight-lane highway’ for do approve the release of IBM proprietary or Linux to achieve the scalability, SMP support, fail-over patented technology, like RCU. [48] capabilities and reliability of UNIX is by the improper extraction, use, and dissemination of the proprietary and confidential UNIX Software Code and libraries. On public evidence, not one of the five key Indeed, UNIX was able to achieve its status as the technologies for enterprise scalabflity in Linux can premiere operating system only after decades of hard plausibly be traced to historical Bell Labs code work, beginning with the finest computer scientists at through IBM. These key technologies are: AT&T Bell Laboratories, plaintiffs predecessor in interest." symmetric multi-processing (SMP) As we’ve seen, Linux SMP was worked up by Alan We hope it is clear at this point just how meretricious Cox and others using equipment provided by this claim is. By wrapping itself in the mantle of Bell Caldera itself. Labs, SCO/Caldera hopes to obscure the fact that its own non-Linux products do not in fact exhibit the j.’ournaling file systems enterprise-ready quality it accuses IBM of stealing, and never have. SCO/Caldera further attempts to IBM’s Journaling File System (JFS) was contributed confuse present-day claims arising from the Monterey by IBM deriving from IBM’s OS/2 and AIX operating project with claims putatively arising from the systems[49], not from earlier Unix efforts. obsolete Bell Labs source code. Furthermore, Linux features three other journaling filesystems, contributed by Red Hat, Namesys, and SGI. Any of these three would be sufficient for OTHER DEFECTS IN THE FACTS AND LOGIC OF THE enterprise scalabflity, and in fact the Red Hat EXT3 COMPLAINT journaling system (and not IBM JFS) is the one in THE PUBLIC EVIDENCE DOES NOT SUPPORT A CLAIM OF most common use. MISAPPROPRIATION logical volume management (LVM) SCO/Caldera alleges (paragraph 90): ’~1"o accomplish the end of transforming the enterprise software market It is a matter of record [50] that IBM’s approach to to a services-driven market, IBM set about to LVM was rejected by Linus Torvalds in favor of a deliberately and improperly destroy the economic different approach. Accordingly, even if we were to value of UNIX and particularly the economic value of stipulate that IBM had access to old SCO’s LVM UNIX on Intel-based processors" In paragraph 94 they technology, any attempted misappropriation came continue: "Over time, IBM made a very substantial to naught. financing commitment to improperly put SCO’ s confidential and proprietary information into Linux, the free operating system." non-uniform memory access (NUMA) e do not claim to be able to read the minds of IBM IBM’s NUMA work derives from the NUMA-Q executives. We do, however, know what IBM’s Linux technology of the former Sequent corporation and kernel hackers thought their marching orders were. others such as SGI, NEC and Fujitsu[51], not the In a June 2002 Slashdot interview [47], Dave Hansen historical Bell Labs codebase or any SCO and other members of IBM’s multiprocessor-Linux development effort (neither of which included team addressed the very point at issue, nine months NUMA). The extent to which this page credits non- before SCO/Caldera’s complaint: IBM organizations should be noted. Q: As Linux developers inside IBM, do you get to see the AIX source code? If you do, are you allowed to AUUGN Vol.24, No.2 - 52 - June 2003 hot-swapping OpenServer binary distribution (which has never been published in source-code form and is not under the Hot-swapping capability on PCs is dependent on GPL). It is not the purpose of this position paper to special hardware capabilities. When the hardware dispute those rights. But to the extent that supports it, hot-swapping tends to be natively and SCO/Caldera uses those proprietary rights to attempt independently enabled by all modern Unixes to cast a shadow over Linux, it maintains a position (though not by the ancestral Bell Labs code). which is factually untenable. SCO/Caldera’s claim that IBM misappropriated SCO Indeed, the effect of SCO/Caldera’s complaint is to technologies for enterprise scalability should be systematically mislead and obfuscate on the issue of evaluated in light of the following two facts: (a) The what background rights SCO/Caldera actually has at Bell Labs codebase contains neither LVM, nor hot- issue in its claim of tort and license violations. The swapping; and (b) the SCO OpenServer codebase clear intent is to deceive observers into believing that contains neither JFS, LVM, nor NUMA. SCO/Caldera has a licit claim. But that emperor has no clothes. Ultimately, SCO/Caldera’s argument would appear to boil down SCO/CALDERA IMPLIES CLAIMS IT IS BARRED FROM to asserting that "IBM had no right to give the EXPLICITLY MAKING community technologies that SCO/Caldera had made freely available on its download site." Through phrases lfl~e "misusing and misappropriating SCO’s proprietary software", and through the enumeration of five categories of rights in paragraph WHO OWNS UNIX~ ANYWAY? 68, SCO/Caldera’s complaint implies the existence of relevant intellectual-property rights based on patent, The issue of who owns Unix has always aroused copyright, trade-secret, and trademark law as a passions of an intensity and nature difficult for background to the explicit matter of its licensing strangers to the issue to understand. The drama here dispute with IBM over Linux. is not merely about money or the competing agendas of corporations, but about the Unix community’s It is notable that the complaint does so without ever sense of ownership of its own work. That community, actually stating what those claims are. We have and that sense of ownership, is exceptionally powerful previously observed that the outcome of the for reasons which bear materially on the matter of USL/Novell-vs.-BSD lawsuit places the very existence SCO/Caldera’s complaint. of such rights in serious doubt. But there are other reasons for SCO/Caldera’s coyness which should not Unix was born in 1969 at Bell Laboratories among escape notice. computer science researchers. After 1975, much of its development was actually done by contributors One is that, despite misleading claims implied on outside Bell Labs, especially at UC Berkeley and SCO/Caldera’s web pages by phrases like "exclusive elsewhere in academia. However, AT&T continued to licensing", SCO/Caldera does not own or control the formally own the results of that collective work. Unix trademark. As we have previously observed, that Indeed, they spent five years after 1983 in a largely trademark - and the privilege of suing IBM for relief fruitless quest to commercialize it as a product - a on a trademark-violation theory - belongs to The role which was played much more effectively by Sun Open Group. Microsystems and other licensees, including old SCO and IBM. Furthermore, SCO/Caldera is barred by the terms of the GNU General Public License from making Even during the early days of Unix commercialization, copyright or patent-infringement claims on any the Unix code base was widely regarded as a technology shipped in conjunction with the Linux commons worked by many hands. As time went on kernel that SCO/Caldera itself has been selling for and Unix evolved, possession of an AT&T source the last eight years. Therefore, SCO/Caldera may license came to be seen as more a pro-forma gesture accuse IBM of misappropriating SCO-owned software in the direction of history than a concession that to improve the Linux kernel only if that software does AT&T’s intellectual property still contributed a not actually ship with the Linux kernel it is alleged to dominating part of the value. This was especially so be improving! after the Berkeley hackers added Internet capability to Unix around 1980. Finally, SCO/Caldera is barred from making trade- secret claims on the contents of the Linux kernel, not Thus, the community of Unix hackers that had grown merely by the fact that the kernel source is generally up around the pre-commercial releases never lost the available, but by the fact that SCO/Caldera has made conviction that, ethically, the Unix code belonged to the sources of its Linux kernel available for download them - the people who had the ideas and wrote the from SCO’s own website! [521. code - regardless of what the legal paperwork said. The outcome of the USL-vs.-Berkeley lawsuit in 1993, SCO/Caldera, as a matter of fact and law, clearly which severed the claims of AT&T and its successor does retain proprietary rights with respect to the SCO Novell to the BSD source code, was universally AUUGN Vol.24 o No.2 - 53 - June 2003 regarded in the community as no more than simple own business advantage to respect the Unix hackers and overdue justice. as the owners of their art. From 1975 to about 1995, therefore, the Unix vendors SCO/Caldera’s complaint, in all its brazen mendacity, and the Unix hackers existed in a kind of half- is the last gasp of proprietary Unix. We in the open- symbiotic, half-antagonistic embrace. The Unix source community (and our allies) are more than hackers (who needed the jobs vendors were providing competent to carry forward the Unix tradition we to practice their craft) expressed their conviction of founded so many years ago. We pray that all ownership by freely passing around bootlegged Unix assertions of exclusive corporate ownership over this sources among themselves for study and problem- tradition be given a swift and definitive end. solving. Vendors (who needed the hackers to fill job slots) looked the other way, routinely winking at behavior that was technically a massive theft of POLICY IMPLICATIONS AND RECOMMENDATIONS critical intellectual property as long as it stayed in the family and nobody’s bottom line got hurt. But given this history, any attempt to make a trade-secret claim A judgment in favor of SCO/Caldera could do serious based on the historical Bell Labs source code would damage to the open-source community. be at best highly disingenuous. SCO/Caldera’s implication of wider claims could turn Linux into an intellectual-property minefield, with potential users and allies perpetually wary of being This tacit truce began to disintegrate after 1990. The rise of the PC meant that the hackers had less need of mugged by previously unasserted IP claims, and ever- more-outlandish theories of entitlement being massive corporate infrastructure and capital propounded by parties with only the most tenuous concentrations to support their art. The USL-vs.- relationship to anyone who ever wrote actual program Berkeley lawsuit was the first major confrontation code. that the hackers won. Under the settlement terms, the Berkeley source code - and the Unix tradition with On behalf of the community that wrote most of it - achieved the autonomy in law that it had always today’s Unix code, and whose claims to have done so deserved in the minds of Unix programmers. were tacitly recognized by the impairment of AT&T’s Two related developments were going on at the same rights under the 1993 settlement, we protest that to time between 1990 and 1995. One was the rise of allow this outcome would be a very grave injustice. We wrote our Unix and Linux code as a gift and an open-source development, and the other was the expression of art, to be enjoyed by our peers and used senescence of the historical Bell Labs codebase. While by others for all licit purposes both non-profit and corporate Unix vendors continued to pay formal for-profit. We did not write it to have it appropriated obeisance to the Bell Labs codebase by buying Unix by men so dishonorable that after making profit from source code licenses from AT&T’s successors in interest, the rise of Linux and the open-source BSDs our gift for eight years they could turn around and insult our competence. made the disposition of the ancestral Unix sources increasingly seem a meaningless game played among Damage to the open-source community would matter, lawyers, of little remaining interest to Unix hackers. because we are both today’s principal source of The technical leading edge of the Unix tradition had moved elsewhere, notably to Linux. Nobody, neither innovation in software and the guardians and maintainers of the open Internet. Our autonomy is the vendors nor the hackers, really needed the Bell everyone’s bulwark against government and corporate Labs source code any more. control of the digital media that are increasingly central in political, commercial, and personal Indeed, when the old-school Unix hackers who at that time ran old SCO purchased the ancestral Bell Labs communications. Our creative energy is what perpetually renews and finds ever more exciting uses code in 1995, it was widely viewed as little more than for computers and networks. The vigor of our culture a bit of clever marketing, or even as a pure nostalgia today will translate into more possibilities for trip by techies who had bought the ancestral source code just because they could. (It appears that this is everyone tomorrow. not quite correct; old SCO employees who have On behalf of Unix developers over the last thirty-five spoken off the record with us say that Caldera was years, of today’s Linux and open-source developers, also buying access to old SCO’s channel partners and and of all Internet users everywhere, we therefore distributor network.) At that time (as we have noted express these hopes with respect to court findings: in the section called "SCO’s history with open source") old SCO gave every evidence of understanding and To find against SCO/Caldera in its complaint endorsing Linux. against IBM, or for IBM on any motion for But SCO/Caldera is no longer run by Unix old hands. dismissal or summary judgment. To ground the finding in terms which will foreclose Their complaint, once again, has thrust the question of "who owns Unix" into the foreground of debate. any future claims by SCO/Caldera of proprietary This time around, the hacker community has control over technologies contributed to Linux. corporate allies (IBM among them) who understand To confirm that SCO/Caldera cannot re-litigate the the new world of open source - and that it is to their USL/Novell-vs.-BSD action by stealth, and thus AUUGN Vol.24 ~ No.2 - 54 - June 2003 that SCO/Caldera’s ownership of the ancestral http: //www,unix.org/what is unix/the_brand,html. Bell Labs source code gives it no authority or proprietary entitlement over the works of the open- The Open Group maintains a list of vendors of source community and Unix developers at large. registered Unix products at http://t~v.unix- systems, org/vendors / We further suggest that SCO/Caldera’s complaint is knowingly deceptive to a degree that recommends [3] The UNIX System -- Trademark Usage -- Unix sanctions under the Utah and Federal Rule 11 of Civil trademark. Procedure. [4] Strictly speaking, what Linus wrote was the Linux OSI is not requesting any more general finding on kernel. He and others combined the kernel with pre- broad issues of intellectual property in software, even existing software, much of it written or sponsored by supposing that were within the purview of the court. the GNU project of the Free Software Foundation, to We feel the facts of Unix history are sufficiently produce afull operating system. compelling and particular that the court would be justified in ruling as we recommend without [5] We use the term "hacker" in its correct and attempting to challenge and re-construct the entire original sense here, as an enthusiast or artist of legal theory of software intellectual property. computer programming. [6] One of the best-known papers on this topic is Fuzz Revisited. ~IBLIOGRAPHY [71 See http://shop,caldera.com/caldera/aneient,html and [TNHD] The New Hacker’s Dictionary. Third Edition. http://minnie,tuhs.org/pipermail/pups/2000-April/000181.html Eric S. Raymond. Copyright © 1996. ISBN 0-262- 68092-0. MIT Press. 547pp.. HTML at the Jargon File [8] The material in the Unix relationships chart is Resource Page.. from the Unix History Timeline. [CATB] The Cathedral and the Bazaar. Second [91 See The Creation of the UNIX* Operating System: Edition. Eric S. Raymond. Copyright © 1999. ISBN 0- Early versions of the UNIX* System for a more 596-00131-2. O’Reilly & Associates. 240pp.. How and detailed history. why the Linux development model works. HTML here [10] UnixWare Frequently Asked Questions (General). [TAOUP] The Art of Unix Programming. Second [11] The Decision to Divest: Incredible or Inevitable? Edition. Eric S. Raymond. Copyright © 2003. ISBN 0- By Trudy E. Bell. (Reprinted from IEEE Spectrum 13-142901-9. Addison-Wesley. 240pp. Work in Online June 2000. Volume 37. Number 6.) progress, to be published August 2003. HTML of the draft is here . [ 12] History of SCO [McKusick99] Open Sources: Voices from the Open [ 13] History of Tarantella, Inc. Source Revolution. Sam Ockman and Chris D/Bona. Copyright © 1999. ISBN 1-56592-582-3. 280pp. [14] AT&T History - The Bell System O’Reilly & Associates. ’"rwenty Years of Berkeley Unix". From AT&T-Owned to Freely Redistributable. [151 USO renamed UNIX System Laboratories, McKusick Kirk Marshall. Available on the Web . Inc.News release 25 Jun 1990. [16] The Creation of the UNIX* Operating System: Ao WORK ~N PROGRESS Business gets the word Lucent Technologies. This position paper is maintained in DocBook XML [17] 11 computer companies purchase equity in UNIX format. Please obtain the latest copy of the source System Labs News release 3 Apr 1991. before dffi’ing any patches for submission. [18] Annual meeting in Chicago; AT&T income up 6.6 percent News release 17 Apr 1991. [ 1] http://~mw~r,sco.com/scosource/complaint3,06,03,html The gain on the sale of ownership interests in UNIX System Laboratories added $43 million to other [2] There is a list of the trademarks owned by The income. Open Group at http://wvvav, opengroup,org/legal,htm#The Open Group’s Trademarks [19] The Creation of the UNIX* Operating System: UNIX moves on Lucent Technologies. Old SCO could call OpenServer and UnixWare Unix because the source passes the tests necessary for [20] Novell and USL to form joint venture for UNIX Unix branding by The Open Group. See and Netware News release 15 Oct 1991. AUUGN Vol.24 ~ No.2 - 55 - June 2003 The size of the Unix market in dollars is given in the [21] Novell and Unix System Labs create Univel, a February 10, 2003 CNET article "Sales Increase for networking company News release 12 Dec 1991. U.S. Linux Servers" (available online at http://news.com.c0m/2100-1001-984010.html). The figure for Novell and USL are contributing cash and technology 2003 is $1.69 billion. rights to Univel. Novell holds a 55 percent share in the new company. Although specific financial terms of Product revenue of $53 million divided by $1,690 the joint venture were not disclosed, the companies million is 3.14 percent, the figure used. Assuming acknowledged that Univel has been underwritten with every dime of old SCO’s revenue came from "the Unix $30 million cash and other assets. server market", their market share could not exceed 3.80 percent (I.E. $64.2/$1690). In addition, the joint venture will have access to technical resources and the education, training, [30] sales, marketing and distribution capabilities of the http: //www, sec,gov/Archives/edgar/data/1102542/00010474690 parent companies. 3003091/a2101798z10-k,htm [22] Novell signs letter of intent to purchase UNIX [31] E.g., McDonald’s restaurants. The McDonald’s System Labs News release 21 Dec 1992. chain was, and apparently remains, SCO’s biggest customer. [23] Novell signs definitive agreement to buy AT&T’s UNIX System Labs News release 16 Feb 1993, [32] http: //os2ports,com/docs/aix/withdraw,html [24] Novell completes acquisition of UNIX System [33] http://www.catb.org/esr/faqs/clone-unix-guide.txt Laboratories News release 14 Jun 1993. [341 http: //~v,cs,berkele~r, edu/~culler/machines/sequent2,ps [25] HP, Novell and SCO To Deliver High-Volume http://www, cs,berkeley,edu/~culler/machines/sequent2,ps UNIX OS With Advanced Network And Enterprise Services Novell press release 20 Sep 1995. [351 http://groups,google,com/groups?q=iBCS+www.intel,com&hl=en&lr SCO has purchased the UnixWare business from =&ie=UTF-S&oe=UTF-S&selm=20016%40scorn.sco,COM&rnurn= 1 Novell and will consolidate its SCO OpenServer sys[em and Novell’s Unix~Vare into a merged high- [36] Unix System Laboratories v. Berkeley Software volume Intel-based UNIX operating system hat Design, Inc., 1993 U.S. Dist. LEXIS 19503; 27 provides interfaces in common with HP-UX. U.S.P.Q.2D (BNA) 1721, issued 30 Mar 1993. There was a subsequent case, 832 F. Supp. 790, issued 7 [26] Novell Completes Sale of UnixWare Business to September 1993, but it was largely a technical ruling The Santa Cruz Operation Novell press release 6 Dec on sovereign immunity and does not bear on the 1995. issues in this brief. Novell, Inc. today completed the sale of its UnixWare [37] http: / / cm,bell-labs.com/em/cs/who/ dmr/bsdi/bsdisuit,htm business to The Santa Cruz Operation, Inc. (SCO), finalizing an agreement first announced in [38] http://groups.google.com/groups?hl=en&lr=&ie=UTF- September, 1995. Under the agreement, Novell 8&oe=utf-S&selm=Sjlkiv%24hm5%241%40news3.texas.net receives approximately 6.1 million shares of SCO common stock, resulting in an ownership position of [39] http://ouray.cudenver.edu/~etumenba/smp-howto/SMP- approximately 17 percent of the outstanding SCO HOWTO-2,html capital stock. The agreement also calls for Novell to receive a revenue stream from SCO based on revenue [40] performance of the purchased UnixWare business. http://www, caldera.com/products/openserver/enterprise.html; This revenue stream is not to exceed $84 million net note the sentence "Support for systems with up to 4 present value, and will end by the year 2002. CPUs" [27] [41] http://wawc, osdl.org/ http: / /w~a~,cnn,com/TECH / computing/ 9908 /18 / scoforum,idg/ [42] http: //www.linux,org,uk/SMP/title.html [28] http://web, archive, org/web/20000816145931/www, sco. c0m/linux [431 / http://groups,google,eom/groups?selm=44qeOm%24gno%40ealder a,com, [29] SCO/Caldera filed an annual report on Jan 27, 2003, (available online here). Revenue is broken down [44] A dated boot log of a 32-processor SMP Linux box on page 19, with a total of $64.2 million reported for (albeit one running with only 31 processors active) is fiscal year 2002, of which $53.0 million comes from at http: //lists. insecure, org/linux-kernel/2000/Sep / 5014. html. "products" and $11.3 million from "services". [45] http://samba,org/~anton/e lO000/dmesg_24 AUUGN Vol.24 o No.2 - 56 - June 2003 [46] http: //~r, sgi, corn/securers/altix/ [471 h ttp : / / interviews,slashdot,org/ article,pl?sid=02 / 06 /18 /1339201& m0de=nested [48] RCU is Read-Copy-Update, a multiprocessor technology developed by the Sequent Corporation before its acquisition by IBM. [49] http://oss.software,ibm,com/developer/opensource/jfs/project/pu b/faq,txt [50] http://lwn,net/Articles/14215/; search down for ’EVMS’ [51] The sources of the NUMA work are described at http://news, com,com/2100-1001-982651,html?tag=fd_top. 152] ftp : / / ftp.sco.com / pub / seolinux/ server/ updates / 4, 0 / SRPMS / keme 1-source-2.4,19 ,SuSE-82,nosrc.rpm This article is re-printed with permission. The originals can be found at: URL: / / http: / / www. opensource, orq / sco-vs-ibm, html Galllery Courtesy of Knno Davids More images available here: http: //www.vic. auug. org. au / sysadm03 / AUUGN Vol.24 ~ No.2 - 57 - June 2003 As with other operating systems, installation This quarter’s C )oR: involves partitioning the disk, deciding what to install, creating file systems, installing the software and configuring the system. Most machines can boot from the CD-R, where you get a menu-based Greg Lehey In previous editions of AUUGN we have distributed OpenBSD (which was derived from NetBSD in 1995) and FreeBSD, which like NetBSD was derived from 386BSD and is currently also celebrating its tenth anniversary (19 June 1993). You’ll find NetBSD very similar in feel to FreeBSD and OpenBSD, more so even than one Linux distribution resembles another. NetBSD prides itself on being portable: "’Of course it runs NetBSD". The full distribution doesn’t fit on one CD-ROM, but this CD contains installable versions for i386, Apple Mac and 32 and 64 bit SPARC implementations. Based on our surveys, that should satisfy almost everybody. If the CD-R doesn’t support your platform, please let us know: we’ll get a free CD-R to you. ’ Installing NetBSD You’ll find detailed instructions on the CD-R in a number of formats. The installation instructions for i386, for example, run to over 3,000 lines, enough to Fill this issue by themselves. In this article, I’ll just go over the basics. The root directory of the CD-R includes some documentation and boot aids, but the most important thing are the directories i386, macppc (for Mac), sparc (for 32 bit SPARC) and sparc64 (for 64 bit SPARC). Each of these directories contains platform-specific installation instructions in a number of formats: INSTALL.txt, INSTALL.html and INSTALL.ps.There’s also an INSTALL.more for use during the install process. AUUGN Vol.24 o No.2 - 58 - June 2003 MARK YOUR DIARY AUUG 2003 WHEN AND WHERE? The Dux~on Hotel, Mflsons Point, Sydney. The Conference will be held from 3 to 5 September. Tutorials will be conducted prior to the conference from 31 August to 2 September. COME ALONG AND HEAR PRESENTATIONS RELATING TO: Open Systems or other operating systems Security in the Enterprise Open Source projects Technical aspects of Computing Business cases for Open Source NeD:corking in the Enterprise Technical aspects of Unix, Linux and BSD Business Experience and Case Studies variants Cluster Computing Managing Distributed Networks Computer Security Performance Management and Networking, Internet (including the World Measurement Wide ~feb). System and Application Monitoring SPONSORS AUUG wishes to gratefully acknowledge the generous assistance given by the following organisations. DIAMOND SPONSORS microsysterns PLATINUM SPONSOR Computer Associates" GOLD SPONSOR PEARL SPONSOR PARTICIPATING SPONSOR AUUGN Vol.24 ~ No.2 - 59 - June 2003 Why not take this opportunity to highlight your company’s commitment to Unix and Open Systems? Sponsorship of this premiere event is a great way to showcase your business and products. Full details can be found at: http://www.auug.org.au/events/2003/auug2003/sponsors/ FURTHER ]INFORMATION Regular updates, including Registration Forms, which will be available shortly, can be found at: http://www.auug.org.au/events/2003/auug2003 For all other enquiries relating to AUUG 2003 please contact Liz Carroll, AUUG Business Manager on: Phone: 1-800-625 655 or (02) 8824 9511 Email: [email protected] ~/~ESSAGE FROM THE PROGRAMME CHAIR The Call for Papers for AUUG 2003 has recently closed. We received a great many good quality submissions and with room for only a limited number of presentations the choice was not easy. I would therefore like to thank all those who submitted proposals. Our speakers are drawn from a wide spectrum, from local technology enthusiasts through to internationally recognised specialists. I am confident that, between the conference and tutorial programmes, you will find many items of interest, not just on the hard-core technical side, but for Unix and open systems in general. Full programme details can be found on the AUUG website at: http://www.auug.org.au/events/2OO3/auug2003/ One of the great aspects of the conference is the opportunity to meet and network with people with a serious interest in Unix and open source solutions. In addition to the Networking Reception on Wednesday and the Conference Dinner on Thursday, there will be plenty of time during breaks to meet with your fellow delegates and discuss the latest technologies with our sponsors. I look forward to greeting you personally at the conference in September. Adrian Close Programme Chair AUUG ~003 AUUGN Vol.24 ~ No.2 - 60 - June 2003 AMERICAN BOOK STO RE 173 Elizabeth St, Brisbane Queensland 4900 Ph" (07) 3229 4677 Fax: (07) 3221 2171 Qld Country Freecall: 1809 177 395 [email protected] D ate: Address: Post Code: Phone Number: Payment Method Cheque [] Money Order Amex ~ Bankcard Diners [] Mastercard Visa Card Number: Expiry Date: Signature" This is a: Special Order Mail Order Book on Hold QUANTITY TITLE PRICE SUBTOTAL LESS 10% DISCOUNT POST & PACK TOTAL $ ...... POSTAGE AND HANDLING FEES: 1 BOOK $6.00 2-4 BOOKS $7.00 BOOKS OVER $70.00 WE WILL SEND CERTIFIED - PLEASE ADD ANOTHER $1.50 OR WAIVE CERTIFIED DELIVERY. FOR SPECIAL ORDERS, PLEASE ENCLOSE $10.00 PER BOOK AS A DEPOSIT. AUUG MEMBERSHIP RENEWAL MEMBERSHIP RENEWAL INVOICES WERE MAILED IN MAY, FOR THOSE OF YOU WHOSE MEMBERSHIP EXPIRES ON 30 JUNE 2003. IF YOU HAVE NOT YET RECEIVED YOURS, PLEASE CONTACT: L~z CARROLL, AUUG BUSINESS MANAGER EMAIL: [email protected],au PHONE: 1-8OO 625 655 FAX: (02) 8824 9522 YOU DO NOT SEND IN YOUR MEMBERSHIP RENEWAL THIS WILL BE YOUR LAST CoPY OF AUUGN! AUUGN Vol,24 ~ No.2 - 62 - June 2003 We meet at Internode, Level Contact [email protected] for further 3/132 Grenfell St aka ’the old details. AAMI building’, at 7 pm on the second Wednesday of each month. BRISBANE Inn on the Park For further information, contact the 507 Coronation Drive QAUUG Executive Committee via email Toowong ([email protected]). The techno- logically deprived can contact Rick Stevenson on (07) 5578-8933. To subscribe to the QAUUG announcements mailing list, please send an e-mail message to: CANBERRA Australian National University HOBART University of Tasmania MELBOURNE Various. For updated The meetings alternate between information See: Technical presentations in the even numbered months and purely social http: //www.vic. auug. org. au/ occasions in the odd numbered months. Some attempt is made to fit other AUUG activities into the schedule with minimum disruption. PERTH The Victoria League 276 Onslow Road Shenton Park The NSW Chapter of AUUG is now Meetings start at 6:15 pm holding meetings once a quarter in Sun Microsystems Ground North Sydney in rooms generously Floor 33 Berry Street (cnr provided by Sun Microsystems. More Pacific Hwy) North Sydney information here: http: //www. auug. org. au/nswauug/ FOR UP-TO-DATE DETAILS ON CHAPTERS AND MEETINGS, INCLUDING THOSE IN ALL OTHER AUSTRALIAN CITIES, PLEASE CHECK THE AUUG WEBSITE AT HTTP://WWWoAUUG.ORGoAU OR CALL THE AUUG OFWCE ON 1-800-625655. AUUGN Vol.24 o No.2 - 63 - June 2003 > I hereby certify that the applicant on this form is a full time student and that the following details are correct: Name of Student: Institution: ...... Student Number: ...... Use this tax invoice to apply for, or renew, Individual or Student Signed: ...... Membership of AUUG Inc. To apply online or for Institutional Membership please use http://www.auug.org.au/info/ Name: Title This form serves as Tax Invoice. Date Signed: ...... Please complete and return to: Section B: Prices AUUG Inc, PO Box 7071, BAULKHAM HILLS BC NSW 2153, AUSTRALIA If paying for your membership with a credit card, this form may be faxed to AUUG Inc. Please tick the box to apply for Membership. Please indicate if International Air Mail is required. on +61 2 8824 9522. Renew/New* Individual Membership $110.00 (including $10 GST) [] Please do not send purchase orders. Payment must accompany this form. Renew/New* Student Membership $27.50 (including $2.50 GST) [] Overseas Applicants: Surcharge for International Air Mail $60.00 [] , Please note that all amounts quoted are in Australian Dollars. * Delete as appropriate. ~ Please send a bank draft drawn on an Australian bank, or credit card authorisation. GST only applies to payments made from within Australia. Rates valid from 1 st October 2002. ~ There is a $60.00 surcharge for International Air Mail Section C: Mailing Lists If you have any queries, please call AUUG Inc on +61 2 8824 9511 or freephone 1800 625 655. AUUG mailing lists are sometimes made available to vendors. Please indicate whether you wish your name to be included on these lists: Section A: Yes [] No [] Personal Details Section D: Payment Surname: Pay by cheque First Name: Cheques to be made payable to AUUG Inc. Payment in Australian Dollars only. Title: ...... Position: ...... OR Pay by credit card Organisation: Please debit my credit card for AS ...... Address: Bankcard [] Mastercard [] Visa [] Suburb: Card Number: ...... Expires: ...... Name on card: ...... State: ...... Postcode: ...... Signature: ...... Date Signed: ...... Country: ...... Phone Work: ...... Section E: Agreement Phone Private: ...... Facsimile: ...... E-mail: I agree that this membership will be subject to rules and bylaws ofAUUG Inc as in force from time to time, and this membership will run from the time of joining/renewal until the end of the calendar or financial year Membership Number (if renewing): ...... as appropriate. 0 0 Student Member Certification Signed: ...... For those applying for Student Membership, this section is required to be completed by a Date. Signed: member of the academic staff. This form serves as Tax Invoice AUUG ABN 15 645 981 718